US20060271707A1 - Domain name system resolution - Google Patents
Domain name system resolution Download PDFInfo
- Publication number
- US20060271707A1 US20060271707A1 US11/474,573 US47457306A US2006271707A1 US 20060271707 A1 US20060271707 A1 US 20060271707A1 US 47457306 A US47457306 A US 47457306A US 2006271707 A1 US2006271707 A1 US 2006271707A1
- Authority
- US
- United States
- Prior art keywords
- vpn
- modem
- address
- server
- host name
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
- H04L63/0838—Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
Definitions
- the present invention relates generally to communication networks, and particularly to a computer implemented method for resolving host names on a network, specifically networks having more than one DNS (Domain Name System) server, such as a Virtual Private Network (VPN).
- DNS Domain Name System
- VPN Virtual Private Network
- Communication networks can generally be characterized as either private or public networks.
- a permanent or switched network such as a telephone network.
- the communicating computers typically connect directly to each other via a dial-up or leased line connection, thereby emulating their physical attachment to one another.
- This type of network is usually considered private because the communication signals travel directly from one computer to another.
- VPN virtual private network
- a virtual private network is a private data network that makes use of tunnels to maintain privacy when communicating over a public telecommunication infrastructure, such as the Internet.
- the purpose of VPNs is to give server operators, such as corporations, the same capabilities that they would have if they had a private permanent or switched network.
- VPNs also cost much less to operate than other private networks, as they use a shared public infrastructure rather than a private one.
- Data communicated on a VPN is encrypted before being sent through the public network and decrypted at the receiving end.
- An additional level of security involves encrypting not only the data but also the originating and receiving network addresses. Server operators today are looking at using VPNs for both extranets and wide-area intranets.
- VPN Setting up a VPN, however, is a complex task. Corporations providing VPN connectivity to their employees, typically, must go through a number of inefficient steps before a VPN network can be established between the server operator's server and an employee's client computer. First, the server operator must set up the individual's account on the server-side. To accomplish this, a VPN system administrator at the server-side, manually enters the configuration data for the new client, determines the necessary security settings, inputs the security settings into an authentication server, and configures the server-side firewall so that it will accept incoming packets from the new client.
- the VPN system administrator has to configure the client-side by manually entering the configuration data for the new server, determining the necessary security settings, inputting the security settings, and configuring the client-side firewall so that it will accept incoming packets from the new server.
- GUI Graphical User Interface
- users can enter a string of text into a text box on the Graphical User Interface (GUI) of these applications.
- this text box may be called, among other things, a destination field, location field, address field, or URL field.
- URLs Uniform Resource Locators
- a folder or directory name anywhere on the network that the client computer is connected to may also be entered into the text box.
- a URL is a compact string representation for a resource that is available on the Internet.
- a URL is written as follows: [ ⁇ scheme>: ⁇ scheme-specific-part>].
- the ⁇ scheme> portion of the URL identifies which scheme is being utilized.
- the better known schemes are File Transfer Protocol (FTP), Hypertext Transfer Protocol (HTTP), the Gopher Protocol, Wide Area Information Servers (WAIS), USENET News Protocol (News), and the Prospero Directory Service (Prospero).
- the client computer If the text entered is a URL, i.e., prefixed by ftp://, http://, www, etc., the client computer first searches its local cache to see if Web content, such as a Web page, associated with the URL is present on the local client computer. If it is, the associated Web content is displayed to the user. If it is not, the client computer sends out a DNS request to a DNS server dictated by the user's Internet settings, where the DNS (Domain Name System) resolves Internet domain names, such as www.company.com, into IP (Internet Protocol) addresses, such as 204.0.8.51.
- DNS Domain Name System
- IP Internet Protocol
- the DNS server searches its DNS tables to locate an IP address associated with the URL. If an IP address is located, the IP address is returned to the local computer which then sends a request for the Web page (or other content, such as a file) to that IP address. If an associated IP address is not found on the DNS server, the DNS server returns a “page not found” response to the client computer.
- the text entered is a directory or folder name on the client computer, or within the network that the client computer forms a part of, and if such a directory or folder name is located, the contents of that folder or directory is displayed. If the text entered is not a directory or folder name on the client computer, or within the network that the client computer forms a part of, the text is sent to a designated search engine which conducts a search of the Internet using the text as the search term. A most likely Web page and/or a list of results located is subsequently displayed to the user. A description of this process can be found in U.S. Pat. No. 6,009,459, which is incorporated herein by reference. Selection of the search engine, most likely Web page, and the list of results is controlled by the manufacturer of the application and cannot be altered by the user.
- the above mentioned text entry system works sufficiently well for a single client computer connected to the Internet.
- multiple DNS servers and/or folders or directories with the same name may coexist on the VPN. Therefore, the client computer, or its modem, has no way of intelligently determining which cache to search, which DNS server to send the request to, which search engine to use, and/or which directory or folder's contents to display.
- a need therefore, exists to manage and prioritize requests entered into the text box of the above mentioned applications.
- a host name query is received by a modem from a client computer.
- the host name query is simultaneously transmitted from the modem to a plurality of Domain Name System (DNS) servers.
- DNS Domain Name System
- a response is returned to the client computer from the modem, where the response is based on the host name query and any responses received from the DNS servers.
- at least one address associated with the host name query is acquired from the DNS servers.
- the client computer then sends a request for content to the address. If more than one address is returned, all but one of the addresses is eliminated. This can be done by rejecting all but the most recent address, or rejecting all addresses not provided by a service provider DNS server.
- a search is performed using the host name query as a search string, and an address of where the results of the search can be viewed is transmitted to the client computer.
- a computer program product for performing the above method is also provided.
- FIG. 1 is a block diagram of the system architecture according to an embodiment of the present invention.
- FIG. 2 is a block diagram of the modem shown in FIG. 1 ;
- FIGS. 3 A-D are flow charts of a method for automatically configuring a VPN according to an embodiment of the invention.
- FIGS. 4 A-C are flow charts of a method for establishing multiple VPN tunnels over a single modem according to an embodiment of the invention
- FIGS. 5 A-C are flow charts of a method for automatically resolving host names in a VPN according to an embodiment of the invention.
- FIG. 6 is a Graphical User Interface (GUI) of a VPN system administration Web page.
- GUI Graphical User Interface
- the VPN disclosed herein makes use of a public telecommunication infrastructure and maintains secure communication through the use of encrypted tunneling protocol and security procedures. From the user's perspective, the connection appears to be a private network connecting the user's computer to a server operator's server-side system despite the fact that all communication is occurring over the public telecommunication infrastructure.
- a preferred VPN meets the following general requirements for network security and access control.
- Information transferred over the VPN is encrypted with strong encryption algorithms, thereby ensuring confidentiality.
- An unauthorized party without the knowledge of the sending and receiving parties cannot secretly modify the transferred information, thus safeguarding the integrity of the communication.
- both sides need to authenticate themselves to each other by using Digital Certificates.
- a home user will only be able to access the VPN and transfer or receive information from the server operator system after the user provides a username, password and optionally a tokencode and is authenticated by the server operator's authentication server.
- the VPN system disclosed herein is relatively easy for telecommuting users to install and maintain, as the client VPN software resides on the user's modem instead of on the user's client computer. This alleviates drawbacks associated with software interoperability and maintenance issues on the user's client computer. Also, server operator VPN system administrators can securely connect to easy to use web interfaces to manage their entire VPN system.
- FIG. 1 is a block diagram of the system architecture 100 , according to an embodiment of the present invention.
- a client-side system 108 connects to both a service provider system 146 , and a server-side system 130 , where the client-side system 108 , service provider system 146 , and server-side system 130 are preferably computer networks comprising one or more computing devices coupled together.
- the client-side system 108 comprises one or more computers coupled to a modem.
- the client-side system 108 is preferably operated by one or more users who desire to connect to the server-side system 130 via a VPN.
- the server-side system is preferably operated by a server operator, such that the user can connect or telecommute via a VPN with the server-side system 130 as if he or she was locally connected to it.
- a service provider preferably operates and controls the VPN and the service provider system 146 . It should be understood that the service provider, user, and server operator may be distinct individuals, a group of individuals, a legal entity, or the like. Furthermore, although in practice, the service provider, the user, and/or the server operator are separate entities, this is not required.
- the client-side system 108 preferably comprises one or more client computers 102 ( 1 )-(N) coupled together to form a local area network or LAN 104 .
- Client computers 102 include any type of computing device, such as a personal computer, handheld computer, or the like.
- the LAN 104 is coupled to a modem 106 that in turn couples to a service provider managed network 114 and the Internet 116 .
- the modem 106 is a DSL (Digital Subscriber Line) modem that couples to a Digital Subscriber Line Access Multiplexer (DSLAM) 112 , which is a network device that is usually located at a telephone server operator's central office 110 .
- DSL Digital Subscriber Line
- DSL Digital Subscriber Line Access Multiplexer
- the DSL modem 106 preferably couples to the DSLAM 112 over regular telephone lines [POTS (plain old telephone service) lines].
- POTS plain old telephone service
- the DSLAM 112 couples to the service provider managed network 114 and the Internet 116 in a manner well understood in the art.
- the service provider managed network 114 is preferably an ATM (Asynchronous Transfer Mode) network. It should be understood that DSL technology is only one way of connecting to the Internet 116 . DSL technology is used for its speed of communication and accessibility to users' homes over regular telephone lines. In alternative embodiments of the invention, cable modem technology, satellite technology, or the like may be utilized as long as the modem described is used.
- the service provider managed network 114 also couples to the service provider system 146 .
- the service provider system 146 preferably comprises a service provider's DNS server 120 , a VPN Provider 118 , and an HTTP (Web) server 160 containing administration HTTP (Web) pages 162 , an example of which is shown in FIG. 6 .
- the administration HTTP (Web) pages 162 may alternatively be stored on a Value Added Network Services (VANS) database 128 .
- VANS Value Added Network Services
- the VPN Provider 118 is an important part of the VPN infrastructure. Based on commands and information entered into administration Web pages 162 by remote corporate VPN system administrators, the VPN Provider 118 dispatches instructions to configure and control the modem 106 and a VPN concentrator 136 (described below) and manage their security policies.
- the VPN concentrator 136 is a device that combines several communications channels into one and is often used to tie multiple terminals together into one line.
- the VPN Provider 118 also transmits certificate and private keys from a security generator, such as a Public Key Infrastructure (PKI) synchronizer 124 , where keys are numeric codes that are combined in some manner with communicated data to encrypt it for security purposes.
- PKI Public Key Infrastructure
- the corporate administration Web-pages 162 are preferably unique for each server operator and only allow administration of VPN concentrators 136 resident at the server-side system locations 130 , and users that access such server-side systems 130 .
- the VPN Provider 118 is preferably coupled to an OSS (Operational Support System) 122 , a Public Key Infrastructure (PKI) synchronizer 124 , a VPN synchronizer 126 , a Value Added Network Services (VANS) database 128 , and a modem synchronizer or cache farm 148 .
- OSS Operaational Support System
- PKI Public Key Infrastructure
- VPN VPN synchronizer
- VANS Value Added Network Services
- modem synchronizer or cache farm 148 preferably controls online-ordering and billing of VPN services.
- PKI is preferably used to secure the communications
- any suitable alternative security mechanism may be used.
- PKI enables users of an unsecured public network, such as the Internet, to securely and privately exchange data through the use of public and private cryptographic key pairs that are obtained and shared through a trusted authority.
- PKI provides for Digital Certificates that can identify individuals or organizations.
- a Digital Certificate is an electronic “credit card” that establishes a sender's credentials. It is issued by a certification authority (CA) 150 , and contains the senders name, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting and decrypting messages and digital signatures), and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real.
- CA certification authority
- the PKI synchronizer 124 consists of: a certificate authority (CA) 150 that issues and verifies Digital Certificates, where each certificate includes the public key or information about the public key; a registration authority (RA) 152 that acts as the verifier for the CA before a Digital Certificate is issued to a user; and one or more directories 154 where the certificates (with their public keys) are held.
- CA certificate authority
- RA registration authority
- directories 154 directories 154 where the certificates (with their public keys) are held.
- a certificate management system may also be provided.
- the PKI processes PEM (Privacy Enhanced Mail) encoded PKCS #10 (Public-Key Cryptography System) Digital Certificate requests and return Certificates in the PKCS #7 format, where the Root CA is the parent authority that all CAs trust.
- PEM Primary Enhanced Mail
- PKCS #10 Public-Key Cryptography System
- Digital Certificate requests and return Certificates in the PKCS #7 format where the Root CA is the parent authority that all CAs trust.
- the PKI generates private and public key pairs.
- the public key is used for certificate creation, while the private key, once it has been sent to and received by the modem, is deleted from the PKI.
- the PKI requires an API (Application Program Interface) that can be called by the VPN Provider to control the PKI functions such as process a certificate request, etc.
- the PKI also needs to support revoking certificates with a minimum of issuing CRL's (Certificate Revocation List).
- the VPN Synchronizer 126 is used to serve security data via the VPN provider to the VPN Concentrator 136 , while the modem synchronizer or cache farm 148 is used to serve security data via the VPN provider to the modem 106 .
- the VANS database 128 provides the features that allow management of the entire VPN.
- the VANS database contains the security policies and certificates for the modem 106 and the VPN Concentrators 136 .
- a security policy for each modem and each VPN Concentrator 136 is stored in the VANS database 128 .
- the VANS database preferably contains server location information, network information, or the like.
- the network information preferably includes DNS server 144 addresses, authentication server 138 addresses, WINS (Windows Internet Naming Service) server IP addresses, default corporate network subnets, encryption and authentication algorithms, user's configuration information (locations, additional corporate subnets allowed to connect to), or the like.
- the server-side system 130 preferably consists of a router 132 coupled to a firewall 134 and a VPN concentrator 136 .
- the firewall 134 and VPN concentrator 136 are coupled to a local area network or LAN 156 .
- the LAN 156 couples an authentication server 138 , a file server 140 , a proxy server 142 , and the server operator's DNS server 144 to one another.
- the router 132 is a device or, in some cases, software in a computer, that determines the next network point to which a packet should be forwarded toward its destination.
- the router 132 is coupled to at least two networks, namely the Internet 116 and the LAN 156 , and decides which way to send information packets based on its current understanding of the state of the networks it is connected to.
- the firewall 134 is a set of related programs located at the server-side system 130 , that protects the resources of the LAN 156 from users connected to the Internet 116 .
- the firewall 134 also works with the proxy server 142 to make network requests on behalf of corporate workstation users (not shown).
- the firewall is preferably installed on a computer separate from the rest of the LAN 156 so that no incoming request can access private network resources.
- the firewall 134 may form part of another computer, such as the router 132 or VPN Concentrator 136 .
- the firewall 134 allows remote access to the private LAN 156 by the use of secure logon procedures and authentication certificates, explained below.
- a VPN tunnel is constructed between the modem 106 and the VPN concentrator 136 , which acts as a server and responds to VPN session requests.
- the VPN concentrator 136 conforms to IETF IKE (Internet Engineering Task Force-Internet Key Encryption) and IPSec (Internet Protocol Security) standards and provides as a minimum DES (Data Encryption Standard) and/or 3DES (Triple Data Encryption Standard (168 Bit)) encryption and HMAC-MD5 (Hashed Message Authentication Code-Message Digest 5) and/or HMAC-SHA1 (Hashed Message Authentication Code-Secure Hash Algorithm 1) authentication algorithms.
- the VPN concentrator also preferably supports multiple concurrent IPSec tunnels and is fully compatible with authentication and encryption software, such as the HIFN IKE and IPSec Toolkits 238 that are shown and described in relation FIG. 2 .
- the IKE Security negotiation authenticates the sender and receiver using standard X.509v3 Digital Certificates.
- An example of a suitable VPN concentrator is made by REDCREEK COMMUNICATIONSTM, Inc., and is configured by controlling and pushing configuration details to REDCREEK'S E-DIRECTORTM (ReD) server.
- the authentication server 138 is used to authenticate a VPN session request from the modem 106 .
- the authentication server 138 is a RADIUS (Remote Authentication Dial-In User Service) server.
- RADIUS is client/server protocol and software that enables clients to remotely communicate with a central server that authenticates users and authorizes their access to the requested system or service.
- RADIUS allows a server operator to maintain user profiles in a central database, preferably on the authentication server 138 , that all remote servers can share.
- RADIUS also provides enhanced security, allowing a server operator to set up a policy that can be applied at a single administered network point. Having a central service also means that it is easier to track usage for billing and for keeping network statistics.
- RADIUS client software is preferably also located on the modem 106 , such that data packets sent by the modem 106 are RADIUS formatted.
- RADIUS software is “Funk Steel Belted RADIUSTM” made by FUNK SOFTWARETM, Inc.
- the file server 140 is used to serve files requested by a user to a client computer 102 .
- the proxy server 142 is a server that acts as an intermediary between the LAN 156 and the Internet so that the server operator can ensure security, administrative control, and caching service.
- One function of the proxy server 142 is to accept securely formatted packets (preferably RADIUS formatted packets) from the modem's security software 226 ( FIG. 2 ) (preferably RADIUS software) and proxy the request to the authentication server 138 .
- the proxy server uses open source software, such as CISTRON RADIUS SERVER VERSION 1.6.3TM, and is modified to accept RADIUS packets from client computers 102 without client configuration.
- OEM Radius software Funk Steel Belted RadiusTM
- Promiscuous mode is the condition in which a node in a network recognizes and accepts all packets on the line regardless of protocol type or destination.
- Use of the server operator's DNS server 144 will be explained in detail below in relation to FIG. 5 .
- the functions of the various devices shown in FIG. 1 can be provided by separate devices or software, or combined in a single device or software package.
- different procedures can be resident in different, or the same computers.
- the proxy server 142 may be in the same computer as the firewall 134 or it may be on a separate computer.
- FIG. 2 is a block diagram of the modem 106 shown in FIG. 1 .
- Modem 106 preferably includes at least one data processor or central processing unit (CPU) 202 ; a memory 210 ; communication circuitry 206 ; input and output ports 204 ; and at least one bus 212 that intercouples these components.
- Memory 210 preferably stores an operating system 214 (such as VXWORKSTM made by Wind River Systems Inc., or EMBEDDED LINUX a free Unix-type operating system), having instructions for communicating, processing, accessing, storing, or searching data, etc.
- VXWORKSTM made by Wind River Systems Inc.
- EMBEDDED LINUX a free Unix-type operating system
- Memory 210 also preferably includes communication procedures 216 ; a packet filtering firewall (FW) 218 ; an HTTP (Web) server 220 ; an HTTP (Web) client 222 ; HTTP (Web) pages 224 ; security procedures (Radius client) 226 ; Network Address Translation (NAT) 228 ; a DHCP (Dynamic Host Configuration Protocol) server 230 ; DNS relay procedures 232 ; a flash memory 234 ; a cache 236 ; an IKE/IPSec Toolkit 238, such as that made by HI/FN, Inc; and a Digital Certificate manager 240 , such as a X.509v3 Digital Certificate manager made by HI/FN, Inc.
- FW packet filtering firewall
- Communication procedures 216 are used for communicating with the service provider system 146 ( FIG. 1 ), the server-side system 130 ( FIG. 1 ), and the client-side local LAN 104 ( FIG. 1 ).
- the packet filtering firewall (FW) 218 protects the resources of the client-side LAN 104 ( FIG. 1 ) from users connected to other networks.
- the HTTP (Web) server 220 serves HTTP (Web) pages 224 to users of the client computers 102 ( FIG. 1 ).
- One such Web page is a user login page with fields for entering security data, such as a username and password.
- the HTTP (Web) client 222 requests Web pages from the Internet 116 ( FIG. 1 ) and preferably utilizes Digital Certificates and supports SSL (Secure Sockets Layer).
- the security procedures 226 enable the client computers 102 ( FIG. 1 ) to communicate with the server-side system 130 ( FIG. 1 ), authenticate VPN users, and authorize user access to the requested servers. As discussed above, the preferred security procedures 226 utilize RADIUS client software. The security procedures 226 are used to proxy the user's authentication request to the corporate proxy server 142 ( FIG. 1 ). An authentication reply from the authentication server 138 ( FIG. 1 ) determines whether access to the server-side system 130 is granted. As explained in greater detail in relation to the description of FIG. 4 below, if a valid authentication response is received by the modem 106 ( FIG. 1 ), encrypted packets can be communicated between a client computer and the server-side system. The security procedures 226 preferably conform to RFC (Request for Comments) 2138.
- NAT 228 is used to translate Internet Protocol addresses (IP addresses) used within one network, preferably the LAN 104 ( FIG. 1 ), to different IP addresses known within another network, preferably the Internet 116 ( FIG. 1 ). Therefore, NAT maps the LAN IP addresses to one or more global IP addresses and unmaps the global IP addresses of incoming packets back into LAN IP addresses. This helps ensure security since each outgoing or incoming request must go through a translation process that also offers the opportunity to qualify or authenticate the request or match it to a previous request. NAT also conserves on the number of global IP addresses used by the modem 106 ( FIG. 1 ).
- the VPN effectively extends the server-side system 130 ( FIG. 1 ) to a user's home client computer.
- NAT Network Address Translation
- the VPN system supports a number of scenarios. If the server operator assigns private non-routable IP address blocks for all user's utilizing the VPN (ex.
- the assigned IP block must be unused throughout all the server-side system locations.
- the VANS sub-system 122 , 150 , 126 , 128 , and 148 ( FIG. 1 ) will allocate a subnet for each user from the assigned IP blocks.
- the modem's DHCP server 230 ( FIG. 2 ) is configured to offer the subnet to the client computers 102 ( FIG. 1 ). Alternatively, if the server operator assigns a global static IP address to each modem, the modem uses a one-to-one NAT to make each client computer appear to be sourced by the static IP address.
- the DHCP server 230 lets network administrators manage centrally and automate the assignment of Internet Protocol (IP) addresses to the client computers 102 ( FIG. 1 ) in the LAN 104 ( FIG. 1 ). Using the Internet's set of protocols (TCP/IP), each client 102 ( FIG. 1 ) that can connect to the Internet 116 ( FIG. 1 ) is assigned a unique IP address. Without DHCP, the IP address must be entered manually at each computer and, if computers move to another location in the LAN, a new IP address must be entered. The DHCP server 230 lets a network system administrator supervise and distribute IP addresses from a central point and automatically send a new IP address when a computer is plugged into a different place in the network.
- IP Internet Protocol
- the DNS (Domain Name System) relay procedures 232 allows the user's client computer 102 ( FIG. 1 ) to resolve IP addresses within the private corporate-side LAN 156 ( FIG. 1 ), and resolve Internet domain names into IP addresses.
- the flash memory 234 is a type of constantly-powered nonvolatile memory that can be erased and reprogrammed in units of memory called blocks.
- the following is stored in the flash memory 234 :
- the cache 236 is a temporary storage memory.
- the HIFNTM provided IKE/IPSec Toolkit 238 and HIFNTM provided X.509v3 Digital Certificate management 240 are software products provided by HI/FN, Inc.TM, which are used to implement IPSEC (Internet Protocol Security) and IKE (Internet Key Encryption).
- the server operator firstly enters into an agreement for DSL service, including VPN, from a service provider 146 .
- a VPN concentrator 136 ( FIG. 1 ) is provided to the server operator, and the server operator is given a code which is entered when the user sign up for DSL service.
- the service operator is also given a web client Digital Certificate, an HTTP administration URL (Uniform Resource Locator) that the server operator can use to access and administer their VPN system, and an administrator username and password used to login to the administrator Web page, as explained below in relation to FIG. 6 .
- the code is used to determine which server operator a user is associated with. This information is passed on to the user by the server operator.
- the user By logging on to the service provider's Web page, the user can preferably request DSL and VPN service by entering the code, their telephone number, name and address, etc. Subsequently, a modem is supplied to the user, which the user preferably connects to a phone line and at least one client computer 102 ( FIG. 1 ). A browser link on the client computer is used to access login Web-pages located on the modem. The modem automatically configures, and the system administrator instructs the VPN system, via an administration Web-page, to supply VPN service to the user. The system automatically configures the VPN system and the server operator is billed.
- the modem is preferably configured to send and receive data traffic directly to and from the Internet, while only server operator side data traffic is sent and received through the VPN tunnel. If a modem does not have this feature, all data traffic must first be sent through the VPN tunnel to the server operator, and thereafter the data traffic destined for the Internet passed through the server operator network firewall.
- FIGS. 3 A-D are flow charts of a method 300 for automatically configuring a VPN according to an embodiment of the invention.
- a VPN system administrator such as a corporate IT administrator, requests (step 302 ) an administration interface from the service provider.
- the service provider receives (step 304 ) the request for the administration interface and sends (step 308 ) the administration interface to the administrator.
- the administration interface is preferably the administration Web page 162 ( FIG. 1 ) stored on the service provider's Web server 160 ( FIG. 1 ), an example of which is shown in FIG. 6 .
- secure login is preferably provided so that only the administrator can log into his server operator's VPN administration system.
- the administrator then receives (step 306 ) the administration interface, preferably containing a list of users and corporate servers, and selects (step 310 ) the corporate servers to add to the VPN system.
- the selected corporate servers are then transmitted (step 312 ) to the service provider who receives (step 314 ) the selection.
- the administrator selects (step 316 ) the users that he would like to add to the VPN system.
- the selected users are then transmitted (step 318 ) to the service provider who receives (step 320 ) the selected users.
- selected servers and users may be transmitted simultaneously.
- the VPN provider 118 accesses the PKI synchronizer 124 ( FIG. 1 ) to determine (step 322 ) the security settings for the VPN, using standard security means, such as digital certificates.
- the security settings are obtained as follows.
- a public and private key are created simultaneously using an algorithm by the certificate authority (CA) 150 ( FIG. 1 ).
- the private key is given only to the requesting party and the public key is made publicly available (as part of a Digital Certificate) in a directory that all parties can access.
- the private key is never shared with anyone or sent across the Internet.
- the private key is used to decrypt text that has been encrypted with the public key by the sender.
- authentication can also be provided by using the private key to encrypt a Digital Certificate.
- the selected corporate servers, users, and security settings are then stored (step 324 ) in the VANS database 128 ( FIG. 1 ).
- a one-time only password is subsequently transmitted (step 326 ) to the new user.
- the user using one of the client computers 102 ( FIG. 1 ), and the modem, receives (step 328 ) the one time only password, which is stored in the modem's flash memory 232 ( FIG. 2 ).
- the user requests a one-time only login page which is stored as one of the Web pages 222 ( FIG. 2 ) on the modem.
- the Web server 220 ( FIG.
- the modem 2 on the modem then serves (step 329 ) the one-time only login page to the user's web browser on the client computer.
- the one-time only login page is received and displayed (step 331 ) on the client computer.
- the user enters the one time only password, which is transmitted (step 332 ) to the service provider.
- the service provider more specifically the VPN provider 118 ( FIG. 1 ) receives (step 334 ) the one time password and passes the one time password to the PKI Synchronizer 124 ( FIG. 1 ). If authentication of the one time password is successful (step 336 —Yes), the service provider automatically (cache farm/modem synchronizer 148 ) configures (step 338 and 340 ) the modem with the saved security settings.
- the service provider may also, at this time, automatically configure (step 342 and 344 ) the server-side system 130 ( FIG. 1 ) with the security settings.
- Configuration of the server-side system preferably entails configuration of the authentication server 138 ( FIG. 1 ) and the firewall 134 ( FIG. 1 ). If authentication of the one time password is not successful (step 336 —No), the one-time only login page is again displayed (step 331 ) on the client computer, and the user is again prompted to enters the one time only password.
- the modem preferably downloads a set of VANS Product URLs, which are pointers to the real security settings.
- the VPN Product URLs include a download VPN configuration URL, a download modem firewall configuration URL, a renew and download modem PKI certificates URL, and a report VPN operational test result URL.
- the modem connects to the VPN URLs, authenticates using the cached one time password, and downloads the VPN configuration from the VANS database 128 ( FIG. 1 ).
- the VPN Configuration preferably includes VPN security policy(ies), a private key and certificate, and a root CA certificate.
- the modem stores the VPN security policy(ies), and private key and certificates in its flash memory 232 ( FIG. 2 ).
- the modem then preferably configures its DHCP server 234 ( FIG. 2 ) for DNS server IP address; WINS server IP address; and assigned corporate IP subnet.
- the user is then instructed (step 346 ), preferably via a Web page, to reboot the client computer.
- the user then reboots (step 348 ) the client computer and the modem.
- the modem for each VPN Security Policy, then preferably performs an operational test where a VPN tunnel is created (step 350 ) and the internal port of the VPN Concentrator 136 ( FIG. 1 ) is pinged (step 352 ). If the operational test is successful (step 354 —Yes), the VPN login page (one of the Web pages 224 ( FIG. 2 ) on the modem) is enabled and configured (step 256 ). If the operational test is not successful (step 354 —No), then the user is prompted to re-enter the one time password, which is again transmitted (step 332 ) to the service provider.
- the above described method addresses the manual configuration drawbacks associated with current VPNs, as it is less complex, more efficient, and less costly than current VPN systems.
- the resources of service providers can be redirected to areas other than manually configuring the system.
- VPN service providers can eliminate sending out technicians to server operators and users to configure their systems. This leads to tremendous cost savings for the service provider and the server operator. Further benefits can be brought about by allowing multiple users to establish distinct VPNs using the same modem. These further benefits are described below in relation to FIGS. 4 A-C.
- FIGS. 4 A-C are flow charts of a method 400 for establishing multiple VPN tunnels over a single modem.
- the user or corporate employee requests (step 402 ) the initiation of a VPN session.
- the request is received (step 404 ) by the modem 106 ( FIG. 1 ). All routes which point to the tunnel are cleared.
- a login interface is then transmitted (step 406 ) to the client computer from where the request originated.
- the login interface is preferably a Web page 224 ( FIG. 2 ) stored on the modem 106 ( FIG. 2 ), and is preferably served by the Web server 220 ( FIG. 2 ).
- the login interface is received (step 408 ) by the client.
- the user enters a username and password and, from a list of server operators and/or servers, selects the location to connect to.
- a SecurID token is also entered by the user, where SecurID technology guards against unauthorized access by providing dynamic user authentication via a randomly generated one-time code that automatically changes every 60 seconds, which provides substantially greater security than traditional password systems.
- a location is listed for each VPN security policy resident on the modem, i.e., each server-side system 130 ( FIG. 1 ). These login details are then transmitted (step 410 ) to the modem's Web server 220 ( FIG. 2 ), which receives (step 412 ) the login details.
- the MAC address and/or IP (Internet Protocol) address of the client computer from where the request came, is determined and stored (step 414 ) in the modems flash memory 232 ( FIG. 2 ).
- the MAC address is a unique serial number burned into Ethernet and Token Ring adapters that identifies that network card from all others. Determination of the Mac or IP address is preferably accomplished by reading the connection log for the modem Web server 220 ( FIG. 2 ) to extract which host IP address made the request.
- the modem then configures (step 415 ) its security settings. Configuration of the security settings depends on the encryption standards used.
- the IPSec stack is configured with the server operator server's VPN Security Policy (VPN Concentrator IP address, authentication method, IKE and IPSec authentication and encryption algorithms, Diffie-Hellman Group, key lifetime).
- the security procedures 226 ( FIG. 2 ), preferably a Radius Client, is configured with details such as shared secret, Radius server IP address, port, etc. If a static IP address has been assigned to the modem, then the NAT (Network Address Translation) table 228 ( FIG. 2 ) is configured (one to one NAT using IP address for Location).
- the firewall 218 ( FIG. 2 ) is configured to allow for communications in both directions.
- IKE Phase 1 mode is established with the VPN Concentrator where the modem authenticates using its Digital Certificate to the VPN Concentrator, and Security Association (SA) is established between the modem and the VPN Concentrator.
- SA Security Association
- IKE Phase II negotiates IPSec SA.
- IPSec Tunnel is established based on SA.
- a route is added for connecting to the authentication server 138 ( FIG. 1 ).
- the security procedures 226 ( FIG. 2 ) on the modem preferably a Radius Client, transmits (step 416 ) an access request, which is received (step 418 ) by the authentication server 138 ( FIG. 1 ).
- the authentication server attempts to authenticate (step 420 ) the request.
- a response is formulated and transmitted (step 422 ) to the modem, which receives the response (step 424 ).
- the response may be either access accepted, access challenged, or access-rejected.
- a Web page from the stored Web pages 222 ( FIG. 2 ) on the modem, displaying such rejection is displayed (step 427 ) to the user and the user is allowed to re-enter and re-transmit (step 410 ) the login details, such as a username and password.
- access is challenged (step 428 —Yes)
- a Web page from the stored Web pages 222 ( FIG. 2 ) on the modem, displaying such challenge is displayed (step 427 ) to the user and the user is allowed to re-enter and re-transmit (step 410 ) the login details, preferably only the password.
- a VPN tunnel is established (step 432 ) between the client having the stored IP or MAC address and the server-side system. This is preferably accomplished by adding routes from the connecting client to the corporate subnets through a virtual interface. If split-tunneling is not allowed then the routes to the Internet are removed and the default route is set to the VPN Concentrator. Login details are stored in a log file, which is periodically pushed to the VANS database 128 ( FIG. 1 ) by the modem. The modem then starts a connection timer and monitors communication traffic.
- firewall rules are added to the packet filtering firewall 218 ( FIG. 2 ) to allow full access to the server-side system from only the client computer from where the VPN request originated. For example: add 210 allow ip from aaa.aaa.aa.aaa to bbb.bbb.bbbbbbb via dsl 0
- add 220 allow ip from bbb.bbb.bbbbbbbbbb to aaa.aaa.aaa via dsl 0
- aaa.aaa.aaa.aaaaa is the Telecommuter's PC IP address
- bbb.bbb.bbb.bbbbbbbb is the corporate subnet
- dsl 0 is the modem's virtual interface.
- step 434 If no traffic is detected for a length of time defined by the VPN system administrator, there is a system timeout (step 434 ), the tunnel is torn down and a disconnect message is displayed, where the user has the option to re-log on (step 438 ).
- the user may, also, at any point, choose to log out (step 436 ) of the VPN. Again the user is given the option to re-log on (step 438 ). If the user decides not to re-log on, he or she is logged out of the system (step 440 ). In this way security is protected by dropping the VPN should the user not be using the VPN for a predetermined length of time. Therefore, if a user forgets to disconnect from the VPN and leaves the client computer unsecured, the VPN will automatically be dropped after a length of time determined by the VPN system administrator.
- any of the remainder of the client computers 102 may login in the same manner as described above, where distinct VPNs are formed in the same manner as explained above.
- Security of the multiple VPNs is not compromised, because each VPN is only established between the client computer where login occurred and the corporate VPN associated with the user's unique login details. This is accomplished, as explained above, by restricting communication of each VPN to a single client computer having a previously established and stored IP or MAC address. Each VPN is then formed only between the server-side system selected by a user and the client computer from where login occurred.
- the VPN service for a user can be suspended or deleted. If suspended then the VPN Provider 118 ( FIG. 1 ) will instruct the modem 106 ( FIG. 1 ) to suspend VPN service. Any on-going IPSec session is stopped and no new IPSec sessions can be initiated. If deleted then the modem's Digital Certificate is revoked and the VPN Provider will contact the modem with instructions to delete its certificate and disable VPN service.
- the VPN Concentrator will only allow an IKE/IPSec connection from a VPN client (modem) with a valid Digital Certificate that can be authenticated by the issuing Certificate Authority 150 ( FIG. 1 ).
- the authentication works as follows:
- the modem will not initiate an IPSec connection to the VPN concentrator until a user's username, password, and token-number has been proxied in an Access-request message via a Radius Proxy server to a corporate Radius server and an Access-accept response is received back. Then the modem can initiate an IPSec connection and add the routes to the server-side system to its routing table. Also, the modem firewall rules are added to allow only traffic from the user's client computer to the server-side system.
- FIG. 5A -C are flow charts 500 of a method for automatically resolving host names in a VPN with multiple DNS servers, according to an embodiment of the invention.
- a split DNS internal/external
- the internal server operator DNS server contains all the server-side system's IP address which are private
- the external service provider DNS server contains all the IP address which are public.
- the DNS Relay procedures 232 ( FIG. 2 ) on the modem must, therefore, be able to relay DNS queries for the Internet domains to the service provider's DNS servers 120 ( FIG. 1 ), while relaying DNS queries for the corporate domains to the internal corporate DNS server 144 ( FIG. 1 ).
- the user's client computer DNS server settings are set to the internal IP address of the modem.
- the client computer 102 transmits (step 502 ) the host query to the modem 106 ( FIG. 1 ).
- the modem receives the query (step 504 ) and searches (step 506 ) its local cache 236 ( FIG. 2 ) for a host corresponding to the requested host.
- the modem locates the host in the cache (step 508 —Yes)
- the located host address is returned (step 512 ) to the client computer, which receives (step 542 ) the host address.
- the page itself will be returned to the client computer and displayed to the user.
- a host address is returned (step 512 ) to the client computer, then the client computer formulates a new request for content, and sends (step 544 ) it to the host address.
- the request is preferably a HyperText Markup Language (HTML) request for content such as a Web page or file.
- HTML HyperText Markup Language
- the host query is transmitted to all DNS servers set up in the modem.
- the host query is transmitted (step 514 ) to the server operator's DNS Server 144 ( FIG. 1 ), and is transmitted (step 516 ) to the service provider's DNS Server 120 ( FIG. 1 ).
- the server searches (step 522 ) for the host's associated address, which is preferably the host's IP address.
- the server searches (step 524 ) for the host's associated address, which is preferably the host's IP address. It should be noted that if fewer, or more, DNS servers are provided, they too will be sent the host request and they too will search for the host's associated address.
- step 526 If the server operator's DNS server locates (step 526 —Yes) the host's associated address, the address is returned (step 542 ) to the modem. If the server operator's DNS server does not locate (step 526 —No) the host's associated address, the server operator's DNS server transmits (step 546 ) a “No Host Found” message to the modem.
- the service provider's DNS server locates (step 528 —Yes) the host's associated address, the address is returned (step 530 ) to the modem. If the service provider's DNS server does not locate (step 528 —No) the host's associated address, the service provider's DNS server transmits (step 546 ) a “No Host Found” message to the modem.
- the modem determines (step 536 ) whether it has received more than one address, i.e., an address from both the service provider's DNS server and the server operator's DNS server. If only one address is received (step 536 —No), then the address is returned (step 540 ) to the client computer. If more than one address is received (step 536 —Yes), then the modem applies (step 538 ) a policy to the received addresses, so as to be left with only a single address. In the preferred embodiment the policy keeps only the most recent address. Alternatively, the policy may always return the address supplied by the service provider. Once the policy has been applied and only one address remains, that address is returned (step 540 ) to the client computer.
- the client computer formulates a request for content, such as an HTML request for a Web page, and sends (step 544 ) the request to the received address. Therefore, if for example a host request for “www.company.com” returns a request from both the service provider's and the server operator's DNS servers, the policy preferably returns either the latest IP address for “www.company.com” or returns the IP address from the service provider's DNS server, such as 216.32.74.10. The client computer then sends a request to 216.32.74.10, which returns the company's Web page.
- the above method therefore, resolves host names in a VPN with multiple DNS servers.
- the above method may also be used by the service provider to control the use of the search engine, most likely page, and results list returned when a user enters text into the text box that cannot be resolved. If neither of the DNS servers can resolve the host name, they transmit (step 546 ) a “No Host Found” message to the modem.
- the modem receives (step 548 ) the message and sends (step 550 ) the a search term to a search engine dictated by the service provider, or alternatively by the VPN system administrator, where the search term is based on the unlocated host name.
- the search engine receives (step 558 ) the search and conducts a search (step 560 ) based on the search term.
- the modem transmits (step 552 ) the address or IRL (Information Resource Locator) of where the search results can be found to the client computer.
- IRL Information Resource Locator
- the client computer requests, receives, and displays (step 556 ) the results as it would any Web-page.
- the service provider and/or VPN system administrator can control the search results displayed to the user.
- the VPN system administrator can set up the system so that when text is entered into the text box by a user, and no host address can be resolved from the text, the results of a search of the server operator's web site, using the text as the search term, can be displayed to the user.
- the service provider can generate revenue from displaying advertiser's Web pages more prominently on a list of search results.
- the modem automatically conducts the search.
- the above method may also be used to resolve host addresses for devices coupled to the VPN.
- Users using a file manager such as WINDOWS EXPLORERTM, or an Internet browser, such as MICROSOFT'S INTERNET EXPLORERTM, in conjunction with more recent versions of MICROSOFT WINDOWSTM, can resolve the host name of devices, or directories on these devices, coupled to the VPN.
- a file manager such as WINDOWS EXPLORERTM
- an Internet browser such as MICROSOFT'S INTERNET EXPLORERTM
- MICROSOFT'S INTERNET EXPLORERTM in conjunction with more recent versions of MICROSOFT WINDOWSTM
- the modem would attempt to locate a device, or directories on a device, that matched the entered name.
- the modem would send the host name to both DNS servers and if a device, or directories on a device, on the VPN matches “ComputerName,” return the address of that device.
- the above described method addresses the drawbacks associated with current DNS systems, while allowing a service provider to specify which search engine is to be used if a name cannot be resolved.
- FIG. 6 is a Graphical User Interface (GUI) of a VPN system administration Web page 600 .
- GUI Graphical User Interface
- the VPN system administration Web page 600 comprises fields for entering a username 602 , a password 604 , and a SecurID token-code 606 .
- An organization menu 608 preferably a drop down menu, is provided for allowing the VPN system administrator to select the server-side systems 130 ( FIG. 1 ) to which VPN service will be provided.
- a users menu 610 preferably a drop down menu, is provided for allowing the VPN system administrator to select the users to which VPN service will be provided. Users are preferably listed alphabetically. Alternatively, two user menus may be provided, one for current active users and one for new users requesting VPN service.
- the administrator can enable 614 , suspend 616 , or delete 618 VPN service. Also, for each user the administrator can select organization configuration (may belong to multiple organizations) and for each organization enter IP address to use, list additional network subnets allowed to connect to, specify security level used (set of IKE and IPSec Authentication and Encryption algorithms, Diffie-Hellman key size, etc.), specify split tunneling (On/Off).
- a status box 612 is provided where the administrator can view the connection status, who the VPN Concentrator is connected to, the last connection time, the total usage, the bytes transferred, the time on-line, the encryption/authentication algorithms used, certificate information, or the like
- New details may include a VPN Concentrator IP address, a VPN Concentrator type, a secondary VPN Concentrator IP address, a secondary VPN Concentrator type, a Radius Server IP address, a secondary Radius Server IP address, the security level—encryption/authentication, a Radius Shared Secret, a list of network subnets allowed to connect to, or the like.
- the VPN administrator can notify the service provider of the loss, preferably through the administrator Web-site.
- NRMS Network Resource Management System
- the modem can only be operated from the user's phone line, and, therefore, cannot be used to connect to the corporate network from another DSL phone line.
- the above methods provide a VPN service which fulfills the requirements of network security and access control, while from the user and administrator's perspective is very easy to install, configure and manage.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A host name query is received by a modem from a client computer. The host name query is simultaneously transmitted from the modem to a plurality of Domain Name System (DNS) servers. A response is returned to the client computer from the modem, where the response is based on the host name query and any responses received from the DNS servers. In a preferred embodiment at least one address associated with the host name query is acquired from the DNS servers. The client computer then sends a request for content to the address. If more than one address is returned, all but one of the addresses is eliminated. This can be done by rejecting all but the most recent address, or rejecting all addresses not provided by a service provider DSN server.
Description
- The present invention relates generally to communication networks, and particularly to a computer implemented method for resolving host names on a network, specifically networks having more than one DNS (Domain Name System) server, such as a Virtual Private Network (VPN).
- Communication networks can generally be characterized as either private or public networks. In pure private networks, communications between multiple computers, located at different locations, occur via a permanent or switched network, such as a telephone network. The communicating computers typically connect directly to each other via a dial-up or leased line connection, thereby emulating their physical attachment to one another. This type of network is usually considered private because the communication signals travel directly from one computer to another.
- Communication over packet networks, such as the Internet, is typically not private, as the network cannot guarantee packet delivery. Such networks allow packets to be injected into, or ejected out of, their circuits indiscriminately, and/or analyzed while in transit. For normal communication this poses no real threat. However, to keep sensitive data communicated on such circuits private, the packets flowing on the circuit must be encrypted so that injected packets can be recognized and discarded to keep unauthorized parties from reading and analyzing data. These private circuits are called “tunnels.”
- A virtual private network (VPN) is a private data network that makes use of tunnels to maintain privacy when communicating over a public telecommunication infrastructure, such as the Internet. The purpose of VPNs is to give server operators, such as corporations, the same capabilities that they would have if they had a private permanent or switched network. VPNs also cost much less to operate than other private networks, as they use a shared public infrastructure rather than a private one.
- Data communicated on a VPN is encrypted before being sent through the public network and decrypted at the receiving end. An additional level of security involves encrypting not only the data but also the originating and receiving network addresses. Server operators today are looking at using VPNs for both extranets and wide-area intranets.
- Setting up a VPN, however, is a complex task. Corporations providing VPN connectivity to their employees, typically, must go through a number of inefficient steps before a VPN network can be established between the server operator's server and an employee's client computer. First, the server operator must set up the individual's account on the server-side. To accomplish this, a VPN system administrator at the server-side, manually enters the configuration data for the new client, determines the necessary security settings, inputs the security settings into an authentication server, and configures the server-side firewall so that it will accept incoming packets from the new client. Second, the VPN system administrator has to configure the client-side by manually entering the configuration data for the new server, determining the necessary security settings, inputting the security settings, and configuring the client-side firewall so that it will accept incoming packets from the new server. No known current means exists for automatically configuring the client and server for VPN communication.
- Another drawback with current systems that establish VPN communication between a client and a server, is that they typically do not allow multiple clients coupled to the same client-side modem to establish multiple VPN communication tunnels over the same modem. For example, say husband (H) telecommutes with his office (OH) using VPN over his Digital Subscriber Line (DSL) modem in his home. Wife (W) would also like to telecommute with her office (OW) a corporation distinct from OH. The standard means for establishing two VPN tunnels is to provide separate modems and telephone lines to ensure that the communication between H and OH and W and OW, remains secure and private. This system is both inefficient and costly as two sets of client-side modems, two telephone lines, and two separate Internet connections are required. A need therefore exists for a means to allow multiple clients to establish multiple VPN tunnels over the same client-side modem.
- Yet another drawback with existing VPN systems is that of host name resolution. Users using a file manager, such as WINDOWS EXPLORER™, or an Internet browser, such as MICROSOFT'S INTERNET EXPLORER™, in conjunction with more recent versions of MICROSOFT WINDOWS™, can enter a string of text into a text box on the Graphical User Interface (GUI) of these applications. Depending on the particular application used, this text box may be called, among other things, a destination field, location field, address field, or URL field. Typically, users enter Uniform Resource Locators (URLs) into the text box. However, a folder or directory name anywhere on the network that the client computer is connected to, may also be entered into the text box. In fact, any string of text may be entered into the text box. A URL is a compact string representation for a resource that is available on the Internet. In general, a URL is written as follows: [<scheme>:<scheme-specific-part>]. The <scheme> portion of the URL identifies which scheme is being utilized. Among the better known schemes are File Transfer Protocol (FTP), Hypertext Transfer Protocol (HTTP), the Gopher Protocol, Wide Area Information Servers (WAIS), USENET News Protocol (News), and the Prospero Directory Service (Prospero). Once the string of text has been entered into the address field and either the “enter” key depressed or the “Go” button clicked, the local client computer attempts to resolve what to display.
- If the text entered is a URL, i.e., prefixed by ftp://, http://, www, etc., the client computer first searches its local cache to see if Web content, such as a Web page, associated with the URL is present on the local client computer. If it is, the associated Web content is displayed to the user. If it is not, the client computer sends out a DNS request to a DNS server dictated by the user's Internet settings, where the DNS (Domain Name System) resolves Internet domain names, such as www.company.com, into IP (Internet Protocol) addresses, such as 204.0.8.51. A DNS list of domain names and IP addresses are distributed throughout the Internet in a hierarchy of authority.
- The DNS server then searches its DNS tables to locate an IP address associated with the URL. If an IP address is located, the IP address is returned to the local computer which then sends a request for the Web page (or other content, such as a file) to that IP address. If an associated IP address is not found on the DNS server, the DNS server returns a “page not found” response to the client computer.
- If the text entered is a directory or folder name on the client computer, or within the network that the client computer forms a part of, and if such a directory or folder name is located, the contents of that folder or directory is displayed. If the text entered is not a directory or folder name on the client computer, or within the network that the client computer forms a part of, the text is sent to a designated search engine which conducts a search of the Internet using the text as the search term. A most likely Web page and/or a list of results located is subsequently displayed to the user. A description of this process can be found in U.S. Pat. No. 6,009,459, which is incorporated herein by reference. Selection of the search engine, most likely Web page, and the list of results is controlled by the manufacturer of the application and cannot be altered by the user.
- The above mentioned text entry system works sufficiently well for a single client computer connected to the Internet. However, when using a VPN, multiple DNS servers and/or folders or directories with the same name, may coexist on the VPN. Therefore, the client computer, or its modem, has no way of intelligently determining which cache to search, which DNS server to send the request to, which search engine to use, and/or which directory or folder's contents to display. A need, therefore, exists to manage and prioritize requests entered into the text box of the above mentioned applications.
- In light of the above, a less complex, inefficient, and costly method for configuring a VPN where the resources of a service provider can be redirected to areas other than manually configuring the system would be highly desirable. Furthermore, a VPN system that allows multiple clients coupled to the same client-side modem to establish multiple VPN communication tunnels over the same modem, would also be desirable. In addition, any advancement in host name resolution that addresses the abovementioned drawbacks would be welcomed.
- According to the invention there is provided a computer implemented method for resolving host names on a network. First, a host name query is received by a modem from a client computer. The host name query is simultaneously transmitted from the modem to a plurality of Domain Name System (DNS) servers. A response is returned to the client computer from the modem, where the response is based on the host name query and any responses received from the DNS servers. In a preferred embodiment at least one address associated with the host name query is acquired from the DNS servers. The client computer then sends a request for content to the address. If more than one address is returned, all but one of the addresses is eliminated. This can be done by rejecting all but the most recent address, or rejecting all addresses not provided by a service provider DNS server. In addition, if no host is located by the DNS servers, a search is performed using the host name query as a search string, and an address of where the results of the search can be viewed is transmitted to the client computer. A computer program product for performing the above method is also provided.
- Therefore, by using the above, resolving host names on a network having multiple DNS servers can be more accurately controlled.
- Additional objects and features of the invention will be more readily apparent from the following detailed description and appended claims when taken in conjunction with the drawings, in which:
-
FIG. 1 is a block diagram of the system architecture according to an embodiment of the present invention; -
FIG. 2 is a block diagram of the modem shown inFIG. 1 ; - FIGS. 3A-D are flow charts of a method for automatically configuring a VPN according to an embodiment of the invention;
- FIGS. 4A-C are flow charts of a method for establishing multiple VPN tunnels over a single modem according to an embodiment of the invention;
- FIGS. 5A-C are flow charts of a method for automatically resolving host names in a VPN according to an embodiment of the invention; and
-
FIG. 6 is a Graphical User Interface (GUI) of a VPN system administration Web page. - Like reference numerals refer to corresponding parts throughout the several views of the drawings.
- The VPN disclosed herein makes use of a public telecommunication infrastructure and maintains secure communication through the use of encrypted tunneling protocol and security procedures. From the user's perspective, the connection appears to be a private network connecting the user's computer to a server operator's server-side system despite the fact that all communication is occurring over the public telecommunication infrastructure.
- A preferred VPN meets the following general requirements for network security and access control. Information transferred over the VPN is encrypted with strong encryption algorithms, thereby ensuring confidentiality. An unauthorized party without the knowledge of the sending and receiving parties cannot secretly modify the transferred information, thus safeguarding the integrity of the communication. Furthermore, before information is transferred between parties, both sides need to authenticate themselves to each other by using Digital Certificates. Additionally, a home user will only be able to access the VPN and transfer or receive information from the server operator system after the user provides a username, password and optionally a tokencode and is authenticated by the server operator's authentication server.
- Furthermore, the VPN system disclosed herein is relatively easy for telecommuting users to install and maintain, as the client VPN software resides on the user's modem instead of on the user's client computer. This alleviates drawbacks associated with software interoperability and maintenance issues on the user's client computer. Also, server operator VPN system administrators can securely connect to easy to use web interfaces to manage their entire VPN system.
-
FIG. 1 is a block diagram of thesystem architecture 100, according to an embodiment of the present invention. A client-side system 108 connects to both aservice provider system 146, and a server-side system 130, where the client-side system 108,service provider system 146, and server-side system 130 are preferably computer networks comprising one or more computing devices coupled together. In a preferred embodiment, the client-side system 108 comprises one or more computers coupled to a modem. - The client-
side system 108 is preferably operated by one or more users who desire to connect to the server-side system 130 via a VPN. The server-side system is preferably operated by a server operator, such that the user can connect or telecommute via a VPN with the server-side system 130 as if he or she was locally connected to it. A service provider preferably operates and controls the VPN and theservice provider system 146. It should be understood that the service provider, user, and server operator may be distinct individuals, a group of individuals, a legal entity, or the like. Furthermore, although in practice, the service provider, the user, and/or the server operator are separate entities, this is not required. - The client-
side system 108 preferably comprises one or more client computers 102(1)-(N) coupled together to form a local area network orLAN 104.Client computers 102 include any type of computing device, such as a personal computer, handheld computer, or the like. TheLAN 104 is coupled to amodem 106 that in turn couples to a service provider managednetwork 114 and theInternet 116. In the preferred embodiment, themodem 106 is a DSL (Digital Subscriber Line) modem that couples to a Digital Subscriber Line Access Multiplexer (DSLAM) 112, which is a network device that is usually located at a telephone server operator'scentral office 110. TheDSL modem 106 preferably couples to the DSLAM 112 over regular telephone lines [POTS (plain old telephone service) lines]. The DSLAM 112, in turn, couples to the service provider managednetwork 114 and theInternet 116 in a manner well understood in the art. The service provider managednetwork 114 is preferably an ATM (Asynchronous Transfer Mode) network. It should be understood that DSL technology is only one way of connecting to theInternet 116. DSL technology is used for its speed of communication and accessibility to users' homes over regular telephone lines. In alternative embodiments of the invention, cable modem technology, satellite technology, or the like may be utilized as long as the modem described is used. - The service provider managed
network 114 also couples to theservice provider system 146. Theservice provider system 146 preferably comprises a service provider'sDNS server 120, aVPN Provider 118, and an HTTP (Web)server 160 containing administration HTTP (Web) pages 162, an example of which is shown inFIG. 6 . The administration HTTP (Web) pages 162 may alternatively be stored on a Value Added Network Services (VANS)database 128. Use of theDNS server 120 will be explained below in relation toFIG. 5 . - The
VPN Provider 118 is an important part of the VPN infrastructure. Based on commands and information entered intoadministration Web pages 162 by remote corporate VPN system administrators, theVPN Provider 118 dispatches instructions to configure and control themodem 106 and a VPN concentrator 136 (described below) and manage their security policies. The VPN concentrator 136 is a device that combines several communications channels into one and is often used to tie multiple terminals together into one line. TheVPN Provider 118 also transmits certificate and private keys from a security generator, such as a Public Key Infrastructure (PKI)synchronizer 124, where keys are numeric codes that are combined in some manner with communicated data to encrypt it for security purposes. The corporate administration Web-pages 162 are preferably unique for each server operator and only allow administration ofVPN concentrators 136 resident at the server-side system locations 130, and users that access such server-side systems 130. - The
VPN Provider 118 is preferably coupled to an OSS (Operational Support System) 122, a Public Key Infrastructure (PKI)synchronizer 124, aVPN synchronizer 126, a Value Added Network Services (VANS)database 128, and a modem synchronizer orcache farm 148. In addition to its usual functions, theOSS 122, also, preferably controls online-ordering and billing of VPN services. - Although PKI is preferably used to secure the communications, any suitable alternative security mechanism may be used. PKI enables users of an unsecured public network, such as the Internet, to securely and privately exchange data through the use of public and private cryptographic key pairs that are obtained and shared through a trusted authority. PKI provides for Digital Certificates that can identify individuals or organizations. A Digital Certificate is an electronic “credit card” that establishes a sender's credentials. It is issued by a certification authority (CA) 150, and contains the senders name, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting and decrypting messages and digital signatures), and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real. The
PKI synchronizer 124 consists of: a certificate authority (CA) 150 that issues and verifies Digital Certificates, where each certificate includes the public key or information about the public key; a registration authority (RA) 152 that acts as the verifier for the CA before a Digital Certificate is issued to a user; and one ormore directories 154 where the certificates (with their public keys) are held. Although not shown, a certificate management system may also be provided. - As the Root CA the PKI processes PEM (Privacy Enhanced Mail) encoded PKCS #10 (Public-Key Cryptography System) Digital Certificate requests and return Certificates in the PKCS #7 format, where the Root CA is the parent authority that all CAs trust. As an additional function the PKI generates private and public key pairs. The public key is used for certificate creation, while the private key, once it has been sent to and received by the modem, is deleted from the PKI. The PKI requires an API (Application Program Interface) that can be called by the VPN Provider to control the PKI functions such as process a certificate request, etc. The PKI also needs to support revoking certificates with a minimum of issuing CRL's (Certificate Revocation List).
- The
VPN Synchronizer 126 is used to serve security data via the VPN provider to theVPN Concentrator 136, while the modem synchronizer orcache farm 148 is used to serve security data via the VPN provider to themodem 106. - The
VANS database 128, provides the features that allow management of the entire VPN. The VANS database contains the security policies and certificates for themodem 106 and theVPN Concentrators 136. For example, for each pair of client-server VPN tunnels set up, a security policy for each modem and eachVPN Concentrator 136 is stored in theVANS database 128. The VANS database preferably contains server location information, network information, or the like. The network information preferably includesDNS server 144 addresses,authentication server 138 addresses, WINS (Windows Internet Naming Service) server IP addresses, default corporate network subnets, encryption and authentication algorithms, user's configuration information (locations, additional corporate subnets allowed to connect to), or the like. - The server-
side system 130 preferably consists of arouter 132 coupled to afirewall 134 and aVPN concentrator 136. Thefirewall 134 andVPN concentrator 136 are coupled to a local area network orLAN 156. TheLAN 156 couples anauthentication server 138, afile server 140, aproxy server 142, and the server operator'sDNS server 144 to one another. - The
router 132 is a device or, in some cases, software in a computer, that determines the next network point to which a packet should be forwarded toward its destination. Therouter 132 is coupled to at least two networks, namely theInternet 116 and theLAN 156, and decides which way to send information packets based on its current understanding of the state of the networks it is connected to. - The
firewall 134 is a set of related programs located at the server-side system 130, that protects the resources of theLAN 156 from users connected to theInternet 116. Thefirewall 134 also works with theproxy server 142 to make network requests on behalf of corporate workstation users (not shown). The firewall is preferably installed on a computer separate from the rest of theLAN 156 so that no incoming request can access private network resources. Alternatively, thefirewall 134 may form part of another computer, such as therouter 132 orVPN Concentrator 136. There are a number of firewall screening methods that may be used in conjunction with the invention. One such method is to screen requests to make sure they come from acceptable (previously identified) IP addresses. In the present invention, thefirewall 134 allows remote access to theprivate LAN 156 by the use of secure logon procedures and authentication certificates, explained below. - In use, a VPN tunnel is constructed between the
modem 106 and theVPN concentrator 136, which acts as a server and responds to VPN session requests. In the preferred embodiment of the invention, theVPN concentrator 136 conforms to IETF IKE (Internet Engineering Task Force-Internet Key Encryption) and IPSec (Internet Protocol Security) standards and provides as a minimum DES (Data Encryption Standard) and/or 3DES (Triple Data Encryption Standard (168 Bit)) encryption and HMAC-MD5 (Hashed Message Authentication Code-Message Digest 5) and/or HMAC-SHA1 (Hashed Message Authentication Code-Secure Hash Algorithm 1) authentication algorithms. The VPN concentrator also preferably supports multiple concurrent IPSec tunnels and is fully compatible with authentication and encryption software, such as the HIFN IKE andIPSec Toolkits 238 that are shown and described in relationFIG. 2 . The IKE Security negotiation authenticates the sender and receiver using standard X.509v3 Digital Certificates. An example of a suitable VPN concentrator is made by REDCREEK COMMUNICATIONS™, Inc., and is configured by controlling and pushing configuration details to REDCREEK'S E-DIRECTOR™ (ReD) server. - The
authentication server 138 is used to authenticate a VPN session request from themodem 106. In the preferred embodiment of this invention, theauthentication server 138 is a RADIUS (Remote Authentication Dial-In User Service) server. RADIUS is client/server protocol and software that enables clients to remotely communicate with a central server that authenticates users and authorizes their access to the requested system or service. RADIUS allows a server operator to maintain user profiles in a central database, preferably on theauthentication server 138, that all remote servers can share. RADIUS also provides enhanced security, allowing a server operator to set up a policy that can be applied at a single administered network point. Having a central service also means that it is easier to track usage for billing and for keeping network statistics. RADIUS client software is preferably also located on themodem 106, such that data packets sent by themodem 106 are RADIUS formatted. An example of suitable RADIUS software is “Funk Steel Belted RADIUS™” made by FUNK SOFTWARE™, Inc. - The
file server 140 is used to serve files requested by a user to aclient computer 102. Theproxy server 142 is a server that acts as an intermediary between theLAN 156 and the Internet so that the server operator can ensure security, administrative control, and caching service. One function of theproxy server 142 is to accept securely formatted packets (preferably RADIUS formatted packets) from the modem's security software 226 (FIG. 2 ) (preferably RADIUS software) and proxy the request to theauthentication server 138. - In a preferred embodiment the proxy server uses open source software, such as CISTRON RADIUS SERVER VERSION 1.6.3™, and is modified to accept RADIUS packets from
client computers 102 without client configuration. Optionally, OEM Radius software (Funk Steel Belted Radius™) which can operate in promiscuous mode, can be used that has the additional advantage of having the capability of authenticating against a MICROSOFT NT™ Domain or NOVELL NDS™. Promiscuous mode is the condition in which a node in a network recognizes and accepts all packets on the line regardless of protocol type or destination. Use of the server operator'sDNS server 144 will be explained in detail below in relation toFIG. 5 . - It should be appreciated that the functions of the various devices shown in
FIG. 1 can be provided by separate devices or software, or combined in a single device or software package. Furthermore, different procedures can be resident in different, or the same computers. For example, theproxy server 142 may be in the same computer as thefirewall 134 or it may be on a separate computer. -
FIG. 2 is a block diagram of themodem 106 shown inFIG. 1 .Modem 106 preferably includes at least one data processor or central processing unit (CPU) 202; amemory 210;communication circuitry 206; input andoutput ports 204; and at least onebus 212 that intercouples these components.Memory 210 preferably stores an operating system 214 (such as VXWORKS™ made by Wind River Systems Inc., or EMBEDDED LINUX a free Unix-type operating system), having instructions for communicating, processing, accessing, storing, or searching data, etc.Memory 210 also preferably includescommunication procedures 216; a packet filtering firewall (FW) 218; an HTTP (Web)server 220; an HTTP (Web)client 222; HTTP (Web) pages 224; security procedures (Radius client) 226; Network Address Translation (NAT) 228; a DHCP (Dynamic Host Configuration Protocol)server 230;DNS relay procedures 232; aflash memory 234; acache 236; an IKE/IPSec Toolkit 238, such as that made by HI/FN, Inc; and aDigital Certificate manager 240, such as a X.509v3 Digital Certificate manager made by HI/FN, Inc. -
Communication procedures 216 are used for communicating with the service provider system 146 (FIG. 1 ), the server-side system 130 (FIG. 1 ), and the client-side local LAN 104 (FIG. 1 ). The packet filtering firewall (FW) 218 protects the resources of the client-side LAN 104 (FIG. 1 ) from users connected to other networks. The HTTP (Web)server 220 serves HTTP (Web) pages 224 to users of the client computers 102 (FIG. 1 ). One such Web page is a user login page with fields for entering security data, such as a username and password. The HTTP (Web)client 222 requests Web pages from the Internet 116 (FIG. 1 ) and preferably utilizes Digital Certificates and supports SSL (Secure Sockets Layer). - The
security procedures 226 enable the client computers 102 (FIG. 1 ) to communicate with the server-side system 130 (FIG. 1 ), authenticate VPN users, and authorize user access to the requested servers. As discussed above, thepreferred security procedures 226 utilize RADIUS client software. Thesecurity procedures 226 are used to proxy the user's authentication request to the corporate proxy server 142 (FIG. 1 ). An authentication reply from the authentication server 138 (FIG. 1 ) determines whether access to the server-side system 130 is granted. As explained in greater detail in relation to the description ofFIG. 4 below, if a valid authentication response is received by the modem 106 (FIG. 1 ), encrypted packets can be communicated between a client computer and the server-side system. Thesecurity procedures 226 preferably conform to RFC (Request for Comments) 2138. - Network Address Translation (NAT) 228 is used to translate Internet Protocol addresses (IP addresses) used within one network, preferably the LAN 104 (
FIG. 1 ), to different IP addresses known within another network, preferably the Internet 116 (FIG. 1 ). Therefore, NAT maps the LAN IP addresses to one or more global IP addresses and unmaps the global IP addresses of incoming packets back into LAN IP addresses. This helps ensure security since each outgoing or incoming request must go through a translation process that also offers the opportunity to qualify or authenticate the request or match it to a previous request. NAT also conserves on the number of global IP addresses used by the modem 106 (FIG. 1 ). - Therefore, the VPN effectively extends the server-side system 130 (
FIG. 1 ) to a user's home client computer. This requires the user's client computer to either use a corporate assigned IP address that is assured to be unique and can be routed within the server-side system, or to use a private non-routable IP address and through Network Address Translation (NAT), assume a corporate assigned IP address. If NAT is used, many applications that include IP address information in the IP payload may not work. Some examples of these applications are NETMEETING™, RPC™, NT-LANMAN™ authentication, ICQ™, etc. The VPN system supports a number of scenarios. If the server operator assigns private non-routable IP address blocks for all user's utilizing the VPN (ex. 10.250.0.0), then the assigned IP block must be unused throughout all the server-side system locations. TheVANS sub-system FIG. 1 ) will allocate a subnet for each user from the assigned IP blocks. The modem's DHCP server 230 (FIG. 2 ) is configured to offer the subnet to the client computers 102 (FIG. 1 ). Alternatively, if the server operator assigns a global static IP address to each modem, the modem uses a one-to-one NAT to make each client computer appear to be sourced by the static IP address. For example, for the configuration of two client computers connected behind the modem with IP addresses of 10.6.1.3 and 10.6.1.4 with only the client computer with an IP address of 10.6.1.3 connecting to a server operator with the subnet of 3.0.0.0 and using a server operator assigned IP address of 3.1.100.3 these are the sample NAT rules:
map atm0 10.6.1.0/24−>216.217.40.5/32
map atm0 10.6.1.3/32−>3.1.100.3/32 -
- [Where 3.1.100.3 is the corporate assigned IP address which is part of the corporate address space, 216.217.40.5 is internal modem IP address and atm0 is the modem virtual interface. Packets destined for the Internet will be NATed to 216.217.40.5 and packets from 10.6.1.3 destined for the server-side system will be NATed to 3.1.100.3.]
- The
DHCP server 230 lets network administrators manage centrally and automate the assignment of Internet Protocol (IP) addresses to the client computers 102 (FIG. 1 ) in the LAN 104 (FIG. 1 ). Using the Internet's set of protocols (TCP/IP), each client 102 (FIG. 1 ) that can connect to the Internet 116 (FIG. 1 ) is assigned a unique IP address. Without DHCP, the IP address must be entered manually at each computer and, if computers move to another location in the LAN, a new IP address must be entered. TheDHCP server 230 lets a network system administrator supervise and distribute IP addresses from a central point and automatically send a new IP address when a computer is plugged into a different place in the network. - The DNS (Domain Name System)
relay procedures 232 allows the user's client computer 102 (FIG. 1 ) to resolve IP addresses within the private corporate-side LAN 156 (FIG. 1 ), and resolve Internet domain names into IP addresses. - The
flash memory 234 is a type of constantly-powered nonvolatile memory that can be erased and reprogrammed in units of memory called blocks. In the preferred embodiment of the invention, the following is stored in the flash memory 234: The Root CA Certificate, Sub CA Certificate, EW Certificate (Use for connecting to all server-side systems), EW Private Key, EW Password, VPN Security Policy (One set for every server operator, each user may connect to several server operators in different locations which the modem will be allowed to connect to), Cached Log information, and Login/Status Web page. - The
cache 236 is a temporary storage memory. The HIFN™ provided IKE/IPSec Toolkit 238 and HIFN™ provided X.509v3Digital Certificate management 240 are software products provided by HI/FN, Inc.™, which are used to implement IPSEC (Internet Protocol Security) and IKE (Internet Key Encryption). - Turning now to the configuration of the VPN system between a
server operator 130 and aremote user 108. The server operator firstly enters into an agreement for DSL service, including VPN, from aservice provider 146. A VPN concentrator 136 (FIG. 1 ) is provided to the server operator, and the server operator is given a code which is entered when the user sign up for DSL service. The service operator is also given a web client Digital Certificate, an HTTP administration URL (Uniform Resource Locator) that the server operator can use to access and administer their VPN system, and an administrator username and password used to login to the administrator Web page, as explained below in relation toFIG. 6 . The code is used to determine which server operator a user is associated with. This information is passed on to the user by the server operator. By logging on to the service provider's Web page, the user can preferably request DSL and VPN service by entering the code, their telephone number, name and address, etc. Subsequently, a modem is supplied to the user, which the user preferably connects to a phone line and at least one client computer 102 (FIG. 1 ). A browser link on the client computer is used to access login Web-pages located on the modem. The modem automatically configures, and the system administrator instructs the VPN system, via an administration Web-page, to supply VPN service to the user. The system automatically configures the VPN system and the server operator is billed. - Moreover, the modem is preferably configured to send and receive data traffic directly to and from the Internet, while only server operator side data traffic is sent and received through the VPN tunnel. If a modem does not have this feature, all data traffic must first be sent through the VPN tunnel to the server operator, and thereafter the data traffic destined for the Internet passed through the server operator network firewall.
- FIGS. 3A-D are flow charts of a
method 300 for automatically configuring a VPN according to an embodiment of the invention. A VPN system administrator, such as a corporate IT administrator, requests (step 302) an administration interface from the service provider. The service provider receives (step 304) the request for the administration interface and sends (step 308) the administration interface to the administrator. The administration interface is preferably the administration Web page 162 (FIG. 1 ) stored on the service provider's Web server 160 (FIG. 1 ), an example of which is shown inFIG. 6 . Although not shown, secure login is preferably provided so that only the administrator can log into his server operator's VPN administration system. The administrator then receives (step 306) the administration interface, preferably containing a list of users and corporate servers, and selects (step 310) the corporate servers to add to the VPN system. The selected corporate servers are then transmitted (step 312) to the service provider who receives (step 314) the selection. The administrator then selects (step 316) the users that he would like to add to the VPN system. The selected users are then transmitted (step 318) to the service provider who receives (step 320) the selected users. In an alternative embodiment, selected servers and users may be transmitted simultaneously. - The VPN provider 118 (
FIG. 1 ) then accesses the PKI synchronizer 124 (FIG. 1 ) to determine (step 322) the security settings for the VPN, using standard security means, such as digital certificates. In the preferred embodiment, the security settings are obtained as follows. A public and private key are created simultaneously using an algorithm by the certificate authority (CA) 150 (FIG. 1 ). The private key is given only to the requesting party and the public key is made publicly available (as part of a Digital Certificate) in a directory that all parties can access. The private key is never shared with anyone or sent across the Internet. The private key is used to decrypt text that has been encrypted with the public key by the sender. In addition to encrypting messages (which ensures privacy), authentication can also be provided by using the private key to encrypt a Digital Certificate. - The selected corporate servers, users, and security settings are then stored (step 324) in the VANS database 128 (
FIG. 1 ). A one-time only password is subsequently transmitted (step 326) to the new user. The user, using one of the client computers 102 (FIG. 1 ), and the modem, receives (step 328) the one time only password, which is stored in the modem's flash memory 232 (FIG. 2 ). When the user is ready to log on to the VPN system for the first time, the user requests a one-time only login page which is stored as one of the Web pages 222 (FIG. 2 ) on the modem. The Web server 220 (FIG. 2 ) on the modem then serves (step 329) the one-time only login page to the user's web browser on the client computer. The one-time only login page is received and displayed (step 331) on the client computer. The user enters the one time only password, which is transmitted (step 332) to the service provider. The service provider, more specifically the VPN provider 118 (FIG. 1 ) receives (step 334) the one time password and passes the one time password to the PKI Synchronizer 124 (FIG. 1 ). If authentication of the one time password is successful (step 336—Yes), the service provider automatically (cache farm/modem synchronizer 148) configures (step 338 and 340) the modem with the saved security settings. The service provider (VPN Synchronizer) may also, at this time, automatically configure (step 342 and 344) the server-side system 130 (FIG. 1 ) with the security settings. Configuration of the server-side system preferably entails configuration of the authentication server 138 (FIG. 1 ) and the firewall 134 (FIG. 1 ). If authentication of the one time password is not successful (step 336—No), the one-time only login page is again displayed (step 331) on the client computer, and the user is again prompted to enters the one time only password. - To synchronize (step 340) the security settings with the modem, the modem preferably downloads a set of VANS Product URLs, which are pointers to the real security settings. The VPN Product URLs include a download VPN configuration URL, a download modem firewall configuration URL, a renew and download modem PKI certificates URL, and a report VPN operational test result URL. The modem connects to the VPN URLs, authenticates using the cached one time password, and downloads the VPN configuration from the VANS database 128 (
FIG. 1 ). The VPN Configuration preferably includes VPN security policy(ies), a private key and certificate, and a root CA certificate. The modem stores the VPN security policy(ies), and private key and certificates in its flash memory 232 (FIG. 2 ). The modem then preferably configures its DHCP server 234 (FIG. 2 ) for DNS server IP address; WINS server IP address; and assigned corporate IP subnet. - The user is then instructed (step 346), preferably via a Web page, to reboot the client computer. The user then reboots (step 348) the client computer and the modem. The modem, for each VPN Security Policy, then preferably performs an operational test where a VPN tunnel is created (step 350) and the internal port of the VPN Concentrator 136 (
FIG. 1 ) is pinged (step 352). If the operational test is successful (step 354—Yes), the VPN login page (one of the Web pages 224 (FIG. 2 ) on the modem) is enabled and configured (step 256). If the operational test is not successful (step 354—No), then the user is prompted to re-enter the one time password, which is again transmitted (step 332) to the service provider. - The above described method addresses the manual configuration drawbacks associated with current VPNs, as it is less complex, more efficient, and less costly than current VPN systems. In addition, the resources of service providers can be redirected to areas other than manually configuring the system. Using the above described method, VPN service providers can eliminate sending out technicians to server operators and users to configure their systems. This leads to tremendous cost savings for the service provider and the server operator. Further benefits can be brought about by allowing multiple users to establish distinct VPNs using the same modem. These further benefits are described below in relation to FIGS. 4A-C.
- FIGS. 4A-C are flow charts of a
method 400 for establishing multiple VPN tunnels over a single modem. The user or corporate employee, preferably using a Web browser on one of the client computers 102 (FIG. 1 ), requests (step 402) the initiation of a VPN session. The request is received (step 404) by the modem 106 (FIG. 1 ). All routes which point to the tunnel are cleared. A login interface is then transmitted (step 406) to the client computer from where the request originated. The login interface is preferably a Web page 224 (FIG. 2 ) stored on the modem 106 (FIG. 2 ), and is preferably served by the Web server 220 (FIG. 2 ). The login interface is received (step 408) by the client. The user enters a username and password and, from a list of server operators and/or servers, selects the location to connect to. In the preferable embodiment, a SecurID token is also entered by the user, where SecurID technology guards against unauthorized access by providing dynamic user authentication via a randomly generated one-time code that automatically changes every 60 seconds, which provides substantially greater security than traditional password systems. A location is listed for each VPN security policy resident on the modem, i.e., each server-side system 130 (FIG. 1 ). These login details are then transmitted (step 410) to the modem's Web server 220 (FIG. 2 ), which receives (step 412) the login details. The MAC address and/or IP (Internet Protocol) address of the client computer from where the request came, is determined and stored (step 414) in the modems flash memory 232 (FIG. 2 ). The MAC address is a unique serial number burned into Ethernet and Token Ring adapters that identifies that network card from all others. Determination of the Mac or IP address is preferably accomplished by reading the connection log for the modem Web server 220 (FIG. 2 ) to extract which host IP address made the request. The modem then configures (step 415) its security settings. Configuration of the security settings depends on the encryption standards used. - In the preferred embodiment, configuration of the security settings occurs using standard IPSec implementation. The IPSec stack is configured with the server operator server's VPN Security Policy (VPN Concentrator IP address, authentication method, IKE and IPSec authentication and encryption algorithms, Diffie-Hellman Group, key lifetime). The security procedures 226 (
FIG. 2 ), preferably a Radius Client, is configured with details such as shared secret, Radius server IP address, port, etc. If a static IP address has been assigned to the modem, then the NAT (Network Address Translation) table 228 (FIG. 2 ) is configured (one to one NAT using IP address for Location). The firewall 218 (FIG. 2 ) is configured to allow for communications in both directions. A modem certificate is added, as well as a private key and CA Root certificate to the ISAKMP Cache.IKE Phase 1 mode is established with the VPN Concentrator where the modem authenticates using its Digital Certificate to the VPN Concentrator, and Security Association (SA) is established between the modem and the VPN Concentrator. IKE Phase II negotiates IPSec SA. IPSec Tunnel is established based on SA. A route is added for connecting to the authentication server 138 (FIG. 1 ). - Subsequently, the security procedures 226 (
FIG. 2 ) on the modem, preferably a Radius Client, transmits (step 416) an access request, which is received (step 418) by the authentication server 138 (FIG. 1 ). The authentication server then attempts to authenticate (step 420) the request. A response is formulated and transmitted (step 422) to the modem, which receives the response (step 424). The response may be either access accepted, access challenged, or access-rejected. - If access is rejected (
step 426—Yes) then a Web page, from the stored Web pages 222 (FIG. 2 ) on the modem, displaying such rejection is displayed (step 427) to the user and the user is allowed to re-enter and re-transmit (step 410) the login details, such as a username and password. If access is challenged (step 428—Yes), then a Web page, from the stored Web pages 222 (FIG. 2 ) on the modem, displaying such challenge is displayed (step 427) to the user and the user is allowed to re-enter and re-transmit (step 410) the login details, preferably only the password. - If access is accepted (step 430—Yes), then a VPN tunnel is established (step 432) between the client having the stored IP or MAC address and the server-side system. This is preferably accomplished by adding routes from the connecting client to the corporate subnets through a virtual interface. If split-tunneling is not allowed then the routes to the Internet are removed and the default route is set to the VPN Concentrator. Login details are stored in a log file, which is periodically pushed to the VANS database 128 (
FIG. 1 ) by the modem. The modem then starts a connection timer and monitors communication traffic. - After a successful authentication, firewall rules are added to the packet filtering firewall 218 (
FIG. 2 ) to allow full access to the server-side system from only the client computer from where the VPN request originated. For example:
add 210 allow ip from aaa.aaa.aaa.aaa to bbb.bbb.bbb.bbb via dsl0
add 220 allow ip from bbb.bbb.bbb.bbb to aaa.aaa.aaa.aaa via dsl0
Where aaa.aaa.aaa.aaa is the Telecommuter's PC IP address, bbb.bbb.bbb.bbb is the corporate subnet and dsl0 is the modem's virtual interface. - If no traffic is detected for a length of time defined by the VPN system administrator, there is a system timeout (step 434), the tunnel is torn down and a disconnect message is displayed, where the user has the option to re-log on (step 438). The user may, also, at any point, choose to log out (step 436) of the VPN. Again the user is given the option to re-log on (step 438). If the user decides not to re-log on, he or she is logged out of the system (step 440). In this way security is protected by dropping the VPN should the user not be using the VPN for a predetermined length of time. Therefore, if a user forgets to disconnect from the VPN and leaves the client computer unsecured, the VPN will automatically be dropped after a length of time determined by the VPN system administrator.
- Should other users, using any of the remainder of the client computers 102 (
FIG. 1 ) also require the formation of distinct VPNs with other, or the same, server-side systems, they may login in the same manner as described above, where distinct VPNs are formed in the same manner as explained above. Security of the multiple VPNs is not compromised, because each VPN is only established between the client computer where login occurred and the corporate VPN associated with the user's unique login details. This is accomplished, as explained above, by restricting communication of each VPN to a single client computer having a previously established and stored IP or MAC address. Each VPN is then formed only between the server-side system selected by a user and the client computer from where login occurred. - Security mechanisms used in a preferred embodiment of the invention may be generally described as follows:
- 1. Upon receiving instructions from the corporate administrator Web interface the VPN service for a user can be suspended or deleted. If suspended then the VPN Provider 118 (
FIG. 1 ) will instruct the modem 106 (FIG. 1 ) to suspend VPN service. Any on-going IPSec session is stopped and no new IPSec sessions can be initiated. If deleted then the modem's Digital Certificate is revoked and the VPN Provider will contact the modem with instructions to delete its certificate and disable VPN service. - 2. The VPN Concentrator will only allow an IKE/IPSec connection from a VPN client (modem) with a valid Digital Certificate that can be authenticated by the issuing Certificate Authority 150 (
FIG. 1 ). The authentication works as follows: -
- i. During the first phase of ISAKMP, a packet containing the modem X.509v3 Digital Certificate signed by a Root CA is passed from the modem to the VPN Concentrator. The VPN Concentrator authenticates the Root CA signature in the certificate using the CA public key. Then the VPN Concentrator uses the modem's public key to validate the modem signature in the certificate.
- ii. During the next phase of ISAKMP, the opposite happens. The VPN Concentrator X.509v3 Digital Certificate signed by the same Root CA is passed from the VPN Concentrator to the modem. The modem authenticates the Root CA signature in the certificate using the CA public key. Then the modem uses the VPN Concentrator's public key to validate the VPN Concentrator signature in the certificate.
- iii. The session key used to encrypt traffic between devices is generated using a Diffie-Hellman cryptographic technique that enables sending and receiving parties to exchange public keys in a manner that derives a shared, secret key at both ends. Using a common number agreed by both sides, both sides use a different random number, which is their individual private key, as a power to raise the common number. The results become their private keys and are sent to each other. The receiving party raises the received number to their own private keys, and the results are the same on both sides. Further details can be found in U.S. Pat. No. 4,200,700 to Hellman et al., the description of which is hereby incorporated by reference. The Diffie-Hellman technique generates the session key on the modem device using a public exposed value from the VPN Concentrator and a unique private value on the modem. The Diffie-Hellman algorithm generates the identical session key on the VPN Concentrator device using a public exposed value from the modem and a unique private value on the VPN Concentrator.
- iv. The session key can now be used with a block cipher such as DES or 3DES to encrypt information between the devices.
- 3. The modem will not initiate an IPSec connection to the VPN concentrator until a user's username, password, and token-number has been proxied in an Access-request message via a Radius Proxy server to a corporate Radius server and an Access-accept response is received back. Then the modem can initiate an IPSec connection and add the routes to the server-side system to its routing table. Also, the modem firewall rules are added to allow only traffic from the user's client computer to the server-side system.
- The above described method addresses the difficulties associated with establishing multiple VPNs over a single modem, leading to tremendous cost and efficiency benefits. Two separate modems connecting to the Internet using separate DSL connections is no longer required. Further cost and efficiency benefits can be attained by addressing the difficulties associated with resolving host names in a VPN. These further benefits are described below in relation to FIGS. 5A-C.
-
FIG. 5A -C areflow charts 500 of a method for automatically resolving host names in a VPN with multiple DNS servers, according to an embodiment of the invention. Typically, when a server-side system 130 (FIG. 1 ) is behind an Internet firewall, a split DNS (internal/external) is operated for the corporate domain, i.e., a separate internal corporate DNS server 144 (FIG. 1 ) and a separate external service provider DNS server 120 (FIG. 1 ) coexist on the VPN. The internal server operator DNS server contains all the server-side system's IP address which are private, and the external service provider DNS server contains all the IP address which are public. - With VPNs, the problem arises as to which DNS server the client computer communicates with, to resolve host names. The DNS Relay procedures 232 (
FIG. 2 ) on the modem must, therefore, be able to relay DNS queries for the Internet domains to the service provider's DNS servers 120 (FIG. 1 ), while relaying DNS queries for the corporate domains to the internal corporate DNS server 144 (FIG. 1 ). - To accomplish the above, the user's client computer DNS server settings, usually accessible from the Browser, are set to the internal IP address of the modem. Once a user requests a host, such as by typing “www.company.com” into the text or address box of his Internet browser, the client computer 102 (
FIG. 1 ) transmits (step 502) the host query to the modem 106 (FIG. 1 ). The modem receives the query (step 504) and searches (step 506) its local cache 236 (FIG. 2 ) for a host corresponding to the requested host. - If the modem locates the host in the cache (step 508—Yes), the located host address is returned (step 512) to the client computer, which receives (step 542) the host address. Alternatively, if a cached version of the requested page is located, the page itself will be returned to the client computer and displayed to the user. If a host address is returned (step 512) to the client computer, then the client computer formulates a new request for content, and sends (step 544) it to the host address. The request is preferably a HyperText Markup Language (HTML) request for content such as a Web page or file.
- If the host is not located in the cache (step 508—No), the host query is transmitted to all DNS servers set up in the modem. In the preferred embodiment, the host query is transmitted (step 514) to the server operator's DNS Server 144 (
FIG. 1 ), and is transmitted (step 516) to the service provider's DNS Server 120 (FIG. 1 ). Once the host request is received (steps 520 ) by the server operator's DNS server, the server searches (step 522) for the host's associated address, which is preferably the host's IP address. Likewise, once the host request is received (steps 518) by the service provider's DNS server, the server searches (step 524) for the host's associated address, which is preferably the host's IP address. It should be noted that if fewer, or more, DNS servers are provided, they too will be sent the host request and they too will search for the host's associated address. - If the server operator's DNS server locates (step 526—Yes) the host's associated address, the address is returned (step 542) to the modem. If the server operator's DNS server does not locate (step 526—No) the host's associated address, the server operator's DNS server transmits (step 546) a “No Host Found” message to the modem.
- Likewise, if the service provider's DNS server locates (step 528—Yes) the host's associated address, the address is returned (step 530) to the modem. If the service provider's DNS server does not locate (step 528—No) the host's associated address, the service provider's DNS server transmits (step 546) a “No Host Found” message to the modem.
- Once the modem acquires (
steps 532 and 534) the address from the service provider's DNS server and/or the server operator's DNS server, the modem determines (step 536) whether it has received more than one address, i.e., an address from both the service provider's DNS server and the server operator's DNS server. If only one address is received (step 536—No), then the address is returned (step 540) to the client computer. If more than one address is received (step 536—Yes), then the modem applies (step 538) a policy to the received addresses, so as to be left with only a single address. In the preferred embodiment the policy keeps only the most recent address. Alternatively, the policy may always return the address supplied by the service provider. Once the policy has been applied and only one address remains, that address is returned (step 540) to the client computer. - Once the client computer receives (step 542) the address, it formulates a request for content, such as an HTML request for a Web page, and sends (step 544) the request to the received address. Therefore, if for example a host request for “www.company.com” returns a request from both the service provider's and the server operator's DNS servers, the policy preferably returns either the latest IP address for “www.company.com” or returns the IP address from the service provider's DNS server, such as 216.32.74.10. The client computer then sends a request to 216.32.74.10, which returns the company's Web page. The above method, therefore, resolves host names in a VPN with multiple DNS servers.
- The above method may also be used by the service provider to control the use of the search engine, most likely page, and results list returned when a user enters text into the text box that cannot be resolved. If neither of the DNS servers can resolve the host name, they transmit (step 546) a “No Host Found” message to the modem. The modem receives (step 548) the message and sends (step 550) the a search term to a search engine dictated by the service provider, or alternatively by the VPN system administrator, where the search term is based on the unlocated host name. The search engine receives (step 558) the search and conducts a search (step 560) based on the search term. The modem transmits (step 552) the address or IRL (Information Resource Locator) of where the search results can be found to the client computer. Once the client computer receives (step 554) the address, it requests, receives, and displays (step 556) the results as it would any Web-page. In this way, the service provider and/or VPN system administrator can control the search results displayed to the user. For example, the VPN system administrator can set up the system so that when text is entered into the text box by a user, and no host address can be resolved from the text, the results of a search of the server operator's web site, using the text as the search term, can be displayed to the user. Furthermore, the service provider can generate revenue from displaying advertiser's Web pages more prominently on a list of search results. In an alternative embodiment, if the DNS servers do not respond at all, or do not respond within a predetermined time, the modem automatically conducts the search.
- Moreover, the above method may also be used to resolve host addresses for devices coupled to the VPN. Users using a file manager, such as WINDOWS EXPLORER™, or an Internet browser, such as MICROSOFT'S INTERNET EXPLORER™, in conjunction with more recent versions of MICROSOFT WINDOWS™, can resolve the host name of devices, or directories on these devices, coupled to the VPN. For example, if the host query entered into the text box of the GUIs of the above applications was for “ComputerName” the modem would attempt to locate a device, or directories on a device, that matched the entered name. The modem would send the host name to both DNS servers and if a device, or directories on a device, on the VPN matches “ComputerName,” return the address of that device.
- The above described method addresses the drawbacks associated with current DNS systems, while allowing a service provider to specify which search engine is to be used if a name cannot be resolved.
-
FIG. 6 is a Graphical User Interface (GUI) of a VPN systemadministration Web page 600. It should be noted any user interface that performs the same function asWeb page 600 may be used to administer a VPN. The VPN systemadministration Web page 600 comprises fields for entering ausername 602, apassword 604, and a SecurID token-code 606. Anorganization menu 608, preferably a drop down menu, is provided for allowing the VPN system administrator to select the server-side systems 130 (FIG. 1 ) to which VPN service will be provided. Ausers menu 610, preferably a drop down menu, is provided for allowing the VPN system administrator to select the users to which VPN service will be provided. Users are preferably listed alphabetically. Alternatively, two user menus may be provided, one for current active users and one for new users requesting VPN service. - For each user the administrator can enable 614, suspend 616, or delete 618 VPN service. Also, for each user the administrator can select organization configuration (may belong to multiple organizations) and for each organization enter IP address to use, list additional network subnets allowed to connect to, specify security level used (set of IKE and IPSec Authentication and Encryption algorithms, Diffie-Hellman key size, etc.), specify split tunneling (On/Off).
- A
status box 612 is provided where the administrator can view the connection status, who the VPN Concentrator is connected to, the last connection time, the total usage, the bytes transferred, the time on-line, the encryption/authentication algorithms used, certificate information, or the like - The administrator can also preferably add new server operator details by clicking on
button 620. New details may include a VPN Concentrator IP address, a VPN Concentrator type, a secondary VPN Concentrator IP address, a secondary VPN Concentrator type, a Radius Server IP address, a secondary Radius Server IP address, the security level—encryption/authentication, a Radius Shared Secret, a list of network subnets allowed to connect to, or the like. - In the case where a user reports a lost or stolen modem, the VPN administrator can notify the service provider of the loss, preferably through the administrator Web-site. This causes NRMS (Network Resource Management System) on the OSS to revoke the modem's certificates, disable VPN service for this modem, and delete the modem's policy configuration on the VPN Concentrator. Because of the nature of a DSL connection, and because the modem interoperates with the NMS and with it's saved configuration, the modem can only be operated from the user's phone line, and, therefore, cannot be used to connect to the corporate network from another DSL phone line.
- The above methods provide a VPN service which fulfills the requirements of network security and access control, while from the user and administrator's perspective is very easy to install, configure and manage.
- While the foregoing description and drawings represent the preferred embodiment of the present invention, it will be understood that various additions, modifications and substitutions may be made therein without departing from the spirit and scope of the present invention as defined in the accompanying claims. In particular, it will be clear to those skilled in the art that the present invention may be embodied in other specific forms, structures, arrangements, proportions, and with other elements, materials, and components, without departing from the spirit or essential characteristics thereof. The presently disclosed embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims, and not limited to the foregoing description. Furthermore, it should be noted that the order in which the process is performed may vary without substantially altering the outcome of the process.
Claims (24)
1. A computer implemented method for resolving host names on a network, comprising:
receiving at a modem a host name query from a client computer;
simultaneously transmitting said host name query from said modem to a plurality of Domain Name System (DNS) servers; and
returning a response to said client computer from said modem, where said response is based on said host name query and any responses received from said DNS servers.
2. (canceled)
3. (canceled)
4. (canceled)
5. (canceled)
6. The computer implemented method of claim 1 , wherein said returning further comprises:
determining that a host has not been located by said DNS servers;
performing a search using said host name query as a search string; and
transmitting a results address of where results of said search are located, to said client computer.
7. The computer implemented method of claim 6 , wherein said performing further comprises sending said host name query as a search string to a search engine.
8. The computer implemented method of claim 7 , wherein said sending further comprises sending said host name query as a search string to a search engine selected by a service provider.
9. The computer implemented method of claim 7 , wherein said sending step further comprises sending said host name query as a search string to a search engine selected by a system administrator.
10. The computer implemented method of claim 1 , wherein said returning step further comprises:
searching a cache for an address associated with said host name query; and
returning a located address to said client, such that said client computer can send a request for content to said address.
11. The computer implemented method of claim 1 , wherein said returning step further comprises:
searching a cache based on said host name query;
returning cached content associated with said host name query to said client computer, such that said client can display said content.
12. The computer implemented method of claim 1 , wherein said modem is coupled to a VPN (Virtual Private Network), and at least one of said plurality of DNS servers forms part of the VPN.
13. A computer program product for resolving host names on a Virtual Private Network (VPN), the computer program product comprising a computer readable storage and a computer program embedded therein, the computer program comprising:
instructions for receiving a host name query from a client computer;
instructions for simultaneously transmitting said host name query to a plurality of Domain Name System (DNS) servers; and
instructions for returning a response to said client computer; where said response is based on said host name query and any responses received from said DNS servers.
14. (canceled)
15. (canceled)
16. (canceled)
17. (canceled)
18. The computer program product of claim 13 , wherein said instructions for returning comprise:
instructions for determining that a host has not been located by said DNS servers;
instructions for performing a search using said host name query as a search string; and
instructions for transmitting an address of where results of said search can be viewed to said client computer.
19. The computer program product of claim 18 , wherein said instructions for performing comprise instructions for sending said host name query as a search string to a search engine.
20. The computer program product of claim 19 , wherein said instructions for sending further comprise instructions for sending said host name query as a search string to a search engine selected by a service provider.
21. The computer program product of claim 19 , wherein said instructions for sending further comprise instructions for sending said host name query as a search string to a search engine selected by a system administrator.
22. The computer program product of claim 13 , wherein said instructions for returning step further comprise:
instructions for searching a cache for an address associated with said host name query; and
instructions for returning a located address to said client, such that said client computer can send a request for content to said address.
23. The computer program product of claim 13 , wherein said instructions for returning further comprise:
instructions for searching a cache based on said host name query;
instructions for returning cached content associated with said host name query to said client computer, such that said client can display said content.
24. The computer program product of claim 13 , wherein said modem is coupled to a VPN (Virtual Private Network), and at least one of said plurality of DNS servers forms part of the VPN.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/474,573 US20060271707A1 (en) | 2001-08-23 | 2006-06-26 | Domain name system resolution |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US09/938,430 US7099957B2 (en) | 2001-08-23 | 2001-08-23 | Domain name system resolution |
US11/474,573 US20060271707A1 (en) | 2001-08-23 | 2006-06-26 | Domain name system resolution |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US09/938,430 Continuation US7099957B2 (en) | 2001-08-23 | 2001-08-23 | Domain name system resolution |
Publications (1)
Publication Number | Publication Date |
---|---|
US20060271707A1 true US20060271707A1 (en) | 2006-11-30 |
Family
ID=25471429
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US09/938,430 Expired - Fee Related US7099957B2 (en) | 2001-08-23 | 2001-08-23 | Domain name system resolution |
US11/474,573 Abandoned US20060271707A1 (en) | 2001-08-23 | 2006-06-26 | Domain name system resolution |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US09/938,430 Expired - Fee Related US7099957B2 (en) | 2001-08-23 | 2001-08-23 | Domain name system resolution |
Country Status (1)
Country | Link |
---|---|
US (2) | US7099957B2 (en) |
Cited By (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040095962A1 (en) * | 2002-11-14 | 2004-05-20 | Allied Telesis K.K. | Data routing device, method for determining a destination of a request, and a computer program product for realizing the method |
US20050273606A1 (en) * | 2004-06-02 | 2005-12-08 | Nec Corporation | Communication system, communication apparatus, operation control method, and program |
US20060272029A1 (en) * | 2002-11-08 | 2006-11-30 | Hitachi, Ltd. | Command processing system by a management agent |
US20070047477A1 (en) * | 2005-08-23 | 2007-03-01 | Meshnetworks, Inc. | Extensible authentication protocol over local area network (EAPOL) proxy in a wireless network for node to node authentication |
US20070076695A1 (en) * | 2005-09-30 | 2007-04-05 | Christopher Chu | Method and apparatus for translating a telephone number to a packet network address in a soft modem |
US20070207773A1 (en) * | 2006-03-06 | 2007-09-06 | Braunstein Andrew S | Remote personnel tracking |
US20080056240A1 (en) * | 2006-09-01 | 2008-03-06 | Stephen Edgar Ellis | Triple play subscriber and policy management system and method of providing same |
US20090019183A1 (en) * | 2007-07-10 | 2009-01-15 | Qualcomm Incorporated | Methods and apparatus for data exchange in peer to peer communications |
US20090106404A1 (en) * | 2007-10-18 | 2009-04-23 | Christenson David A | Method and Apparatus for Dynamically Configuring Virtual Internet Protocol Addresses |
US20100049840A1 (en) * | 2008-08-19 | 2010-02-25 | Arcadyan Technology Corporation | Method For Automatically Re-Connecting Customer Premises Equipment (CPE) Web User Interface (UI) |
US20110080900A1 (en) * | 2008-06-12 | 2011-04-07 | Carsten Schlipf | Cellphone Wlan Access Point |
US7987506B1 (en) * | 2006-11-03 | 2011-07-26 | Cisco Technology, Inc. | Methods and systems for dynamically updating a routing table in a virtual private network |
US20120124239A1 (en) * | 2010-11-17 | 2012-05-17 | Hola, Inc. | Method and system for increasing speed of domain name system resolution within a computing device |
US20130013739A1 (en) * | 2010-03-26 | 2013-01-10 | Jean-Luc Grimault | DNS Server, Gateways and Methods for Managing an Identifier of a Port Range in the Transmission of Data |
US20150047009A1 (en) * | 2013-08-09 | 2015-02-12 | Fujitsu Limited | Access control method, access control system and access control device |
US20150117317A1 (en) * | 2010-09-07 | 2015-04-30 | Samsung Electronics Co., Ltd. | Apparatus and method for determining validity of wifi connection in wireless communication system |
US9473401B2 (en) | 2013-06-11 | 2016-10-18 | Fujitsu Limited | Network separation method and network separation device |
US20220353224A1 (en) * | 2020-07-29 | 2022-11-03 | Vmware, Inc. | Integration of client applications with hosted applications |
US11546305B2 (en) * | 2018-02-28 | 2023-01-03 | Dish Network Technologies India Private Limited | Methods and systems for secure DNS routing |
US11563712B2 (en) * | 2018-11-21 | 2023-01-24 | Guangdong Oppo Mobile Telecommunications Corp., Ltd. | Method for domain name query, electronic device, and storage medium |
Families Citing this family (87)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7099957B2 (en) * | 2001-08-23 | 2006-08-29 | The Directtv Group, Inc. | Domain name system resolution |
US7313815B2 (en) * | 2001-08-30 | 2007-12-25 | Cisco Technology, Inc. | Protecting against spoofed DNS messages |
JP2003242118A (en) * | 2002-02-19 | 2003-08-29 | Allied Tereshisu Kk | Communication system, relay device, and program |
US7937471B2 (en) | 2002-06-03 | 2011-05-03 | Inpro Network Facility, Llc | Creating a public identity for an entity on a network |
JP2004021666A (en) * | 2002-06-18 | 2004-01-22 | Hitachi Ltd | Network system, server, and server setting method |
KR100477653B1 (en) * | 2002-06-22 | 2005-03-23 | 삼성전자주식회사 | Apparatus and method for searching DNS server on outer net |
US7444507B2 (en) * | 2002-06-30 | 2008-10-28 | Intel Corporation | Method and apparatus for distribution of digital certificates |
US7469338B2 (en) * | 2002-07-29 | 2008-12-23 | Broadcom Corporation | System and method for cryptographic control of system configurations |
US7653746B2 (en) * | 2002-08-02 | 2010-01-26 | University Of Southern California | Routable network subnet relocation systems and methods |
US8234358B2 (en) | 2002-08-30 | 2012-07-31 | Inpro Network Facility, Llc | Communicating with an entity inside a private network using an existing connection to initiate communication |
JP2004120534A (en) * | 2002-09-27 | 2004-04-15 | Matsushita Electric Ind Co Ltd | Router, repeater and forwarding method |
JP2004295358A (en) * | 2003-03-26 | 2004-10-21 | Internatl Business Mach Corp <Ibm> | Information processor, encryption processing system thereof and method for controlling external storing device |
US7949785B2 (en) * | 2003-03-31 | 2011-05-24 | Inpro Network Facility, Llc | Secure virtual community network system |
US7760729B2 (en) * | 2003-05-28 | 2010-07-20 | Citrix Systems, Inc. | Policy based network address translation |
JP2005051473A (en) * | 2003-07-28 | 2005-02-24 | Sony Corp | Network interconnection device, network interconnection method, name solving device, and computer program |
US8280946B1 (en) * | 2003-09-10 | 2012-10-02 | Google Inc. | Reduction of perceived DNS lookup latency |
US7725933B2 (en) * | 2003-10-07 | 2010-05-25 | Koolspan, Inc. | Automatic hardware-enabled virtual private network system |
US7478169B2 (en) * | 2003-10-16 | 2009-01-13 | International Business Machines Corporation | Accessing data processing systems behind a NAT enabled network |
WO2005057341A2 (en) * | 2003-12-02 | 2005-06-23 | Koolspan, Inc. | Automatic hardware-enabled virtual private network system |
US8392612B2 (en) * | 2003-12-24 | 2013-03-05 | Apple Inc. | Replication server selection method |
US7673049B2 (en) * | 2004-04-19 | 2010-03-02 | Brian Dinello | Network security system |
US8972856B2 (en) * | 2004-07-29 | 2015-03-03 | Yahoo! Inc. | Document modification by a client-side application |
US20070016559A1 (en) * | 2005-07-14 | 2007-01-18 | Yahoo! Inc. | User entertainment and engagement enhancements to search system |
US20060026023A1 (en) * | 2004-08-02 | 2006-02-02 | Cooley Donald R Jr | Method of leasing an automobile |
US20060088026A1 (en) * | 2004-10-27 | 2006-04-27 | Microsoft Corporation | Message based network configuration of domain name services |
US7743093B2 (en) * | 2004-11-10 | 2010-06-22 | Microsoft Corporation | Message based network configuration of domain name purchase |
US8073971B2 (en) * | 2004-12-10 | 2011-12-06 | Microsoft Corporation | Message based network configuration of dynamic domain name services |
US20060129804A1 (en) * | 2004-12-10 | 2006-06-15 | Microsoft Corporation | Message based network configuration of server certificate purchase |
US8316434B2 (en) * | 2005-02-23 | 2012-11-20 | At&T Intellectual Property I, L.P. | Centralized access control system and methods for distributed broadband access points |
JP4639871B2 (en) * | 2005-03-16 | 2011-02-23 | セイコーエプソン株式会社 | Login system, login method and program |
US7386633B2 (en) * | 2005-04-21 | 2008-06-10 | International Business Machines Corporation | Priority based differentiated DNS processing |
US9692725B2 (en) | 2005-05-26 | 2017-06-27 | Citrix Systems, Inc. | Systems and methods for using an HTTP-aware client agent |
US8397287B2 (en) * | 2006-08-21 | 2013-03-12 | Citrix Systems, Inc. | Method and system for authorizing a level of access of a client to a virtual private network connection, based on a client-side attribute |
US8943304B2 (en) * | 2006-08-03 | 2015-01-27 | Citrix Systems, Inc. | Systems and methods for using an HTTP-aware client agent |
US9621666B2 (en) | 2005-05-26 | 2017-04-11 | Citrix Systems, Inc. | Systems and methods for enhanced delta compression |
US9407608B2 (en) | 2005-05-26 | 2016-08-02 | Citrix Systems, Inc. | Systems and methods for enhanced client side policy |
JP2007156770A (en) * | 2005-12-05 | 2007-06-21 | Ricoh Co Ltd | Data processor, program and recording medium |
US8316429B2 (en) * | 2006-01-31 | 2012-11-20 | Blue Coat Systems, Inc. | Methods and systems for obtaining URL filtering information |
US8064357B2 (en) * | 2006-02-06 | 2011-11-22 | At&T Intellectual Property I, L.P. | Methods, DSL modems, and computer program products for provisioning DSL service using downloaded username/password |
WO2007095240A2 (en) * | 2006-02-13 | 2007-08-23 | Tricipher, Inc. | Flexible and adjustable authentication in cyberspace |
US20070283430A1 (en) * | 2006-06-02 | 2007-12-06 | Research In Motion Limited | Negotiating vpn tunnel establishment parameters on user's interaction |
US7860769B2 (en) * | 2006-07-26 | 2010-12-28 | Benson Tracey M | Method of preventing fraud |
US8413229B2 (en) | 2006-08-21 | 2013-04-02 | Citrix Systems, Inc. | Method and appliance for authenticating, by an appliance, a client to access a virtual private network connection, based on an attribute of a client-side certificate |
US7904572B2 (en) * | 2006-11-10 | 2011-03-08 | Canon Denshi Kabushiki Kaisha | Method, apparatus, and medium for controlling access to and setting for features of an imaging processing device |
US8156557B2 (en) * | 2007-01-04 | 2012-04-10 | Cisco Technology, Inc. | Protection against reflection distributed denial of service attacks |
WO2009005433A1 (en) * | 2007-07-05 | 2009-01-08 | Telefonaktiebolaget Lm Ericsson (Publ) | Dns manager |
US7734792B2 (en) * | 2007-07-25 | 2010-06-08 | Novell, Inc. | Secure tunnel domain name management |
US8601542B1 (en) * | 2007-12-28 | 2013-12-03 | Crimson Corporation | Systems and methods providing for configuration file downloads |
US8429715B2 (en) * | 2008-08-08 | 2013-04-23 | Microsoft Corporation | Secure resource name resolution using a cache |
US20090282028A1 (en) * | 2008-09-23 | 2009-11-12 | Michael Subotin | User Interface and Method for Web Browsing based on Topical Relatedness of Domain Names |
US8904519B2 (en) * | 2009-06-18 | 2014-12-02 | Verisign, Inc. | Shared registration system multi-factor authentication |
WO2012063099A1 (en) * | 2010-11-08 | 2012-05-18 | Telefonaktiebolaget L M Ericsson (Publ) | Method and apparatus for enabling dns redirection in mobile telecommunication systems |
US9292682B2 (en) * | 2011-05-09 | 2016-03-22 | International Business Machines Corporation | Accessing a second web page from a dispersed storage network memory based on a first web page selection |
US20170192684A1 (en) | 2011-05-09 | 2017-07-06 | International Business Machines Corporation | Auditing a transaction in a dispersed storage network |
US8433779B2 (en) * | 2011-05-16 | 2013-04-30 | Hitachi, Ltd. | Computer system for allocating IP address to communication apparatus in computer subsystem newly added and method for newly adding computer subsystem to computer system |
US10229197B1 (en) * | 2012-04-20 | 2019-03-12 | The Directiv Group, Inc. | Method and system for using saved search results in menu structure searching for obtaining faster search results |
US10334298B1 (en) | 2012-04-20 | 2019-06-25 | The Directv Group, Inc. | Method and system for searching content using a content time based window within a user device |
US9444779B2 (en) * | 2012-06-04 | 2016-09-13 | Microsoft Technology Lincensing, LLC | Dynamic and intelligent DNS routing with subzones |
GB2513796B (en) * | 2012-11-05 | 2020-06-17 | Pismo Labs Technology Ltd | Methods and gateways for processing DNS request |
US10142282B2 (en) * | 2012-11-05 | 2018-11-27 | Pismo Labs Technology Limited | Methods and gateways for processing DNS request |
US20140149559A1 (en) * | 2012-11-29 | 2014-05-29 | Inside Secure | Virtual private network (vpn) system utilizing configuration message including vpn character configuration string |
US10447524B1 (en) * | 2013-03-14 | 2019-10-15 | EMC IP Holding Company LLC | Unified datapath processing with virtualized storage processors |
WO2015069912A1 (en) * | 2013-11-06 | 2015-05-14 | Improvement Interactive, LLC | Dynamic application version selection |
US9912630B2 (en) * | 2013-12-13 | 2018-03-06 | Pismo Labs Technology Ltd. | Methods and systems for processing a DNS request |
US9942199B2 (en) * | 2013-12-31 | 2018-04-10 | Open Invention Network, Llc | Optimizing connections over virtual private networks |
US9215231B1 (en) * | 2014-02-25 | 2015-12-15 | Amazon Technologies, Inc. | Using a fraud metric for provisioning of digital certificates |
US9306935B2 (en) | 2014-02-25 | 2016-04-05 | Amazon Technologies, Inc. | Provisioning digital certificates in a network environment |
US20160007201A1 (en) * | 2014-05-27 | 2016-01-07 | Telmate, Llc | Vpn-based mobile device security |
US9906497B2 (en) | 2014-10-06 | 2018-02-27 | Cryptzone North America, Inc. | Multi-tunneling virtual network adapter |
US9148408B1 (en) | 2014-10-06 | 2015-09-29 | Cryptzone North America, Inc. | Systems and methods for protecting network devices |
US10375043B2 (en) * | 2014-10-28 | 2019-08-06 | International Business Machines Corporation | End-to-end encryption in a software defined network |
US9930004B2 (en) | 2015-10-13 | 2018-03-27 | At&T Intellectual Property I, L.P. | Method and apparatus for expedited domain name system query resolution |
US9866519B2 (en) * | 2015-10-16 | 2018-01-09 | Cryptzone North America, Inc. | Name resolving in segmented networks |
EP3160176B1 (en) * | 2015-10-19 | 2019-12-11 | Vodafone GmbH | Using a service of a mobile packet core network without having a sim card |
US10708226B2 (en) * | 2016-01-29 | 2020-07-07 | Verisign, Inc. | Domain name resolution |
US9628444B1 (en) | 2016-02-08 | 2017-04-18 | Cryptzone North America, Inc. | Protecting network devices by a firewall |
US10412048B2 (en) | 2016-02-08 | 2019-09-10 | Cryptzone North America, Inc. | Protecting network devices by a firewall |
CN106888268A (en) * | 2017-03-24 | 2017-06-23 | 杭州迪普科技股份有限公司 | A kind of analysis method and device of domain name |
US10848545B2 (en) | 2018-01-31 | 2020-11-24 | EMC IP Holding Company LLC | Managing cloud storage of block-based and file-based data |
US10740192B2 (en) | 2018-01-31 | 2020-08-11 | EMC IP Holding Company LLC | Restoring NAS servers from the cloud |
US11042448B2 (en) | 2018-01-31 | 2021-06-22 | EMC IP Holding Company LLC | Archiving NAS servers to the cloud |
US11283763B2 (en) | 2018-12-28 | 2022-03-22 | Mcafee, Llc | On-device dynamic safe browsing |
US10970257B2 (en) | 2019-01-31 | 2021-04-06 | EMC IP Holding Company LLC | Replicating file systems via cloud storage |
US11405237B2 (en) | 2019-03-29 | 2022-08-02 | Mcafee, Llc | Unencrypted client-only virtual private network |
US11362999B2 (en) * | 2019-03-29 | 2022-06-14 | Mcafee, Llc | Client-only virtual private network |
US11281541B2 (en) | 2020-01-15 | 2022-03-22 | EMC IP Holding Company LLC | Dynamic snapshot backup in multi-cloud environment |
US11611536B2 (en) * | 2020-06-10 | 2023-03-21 | 360 It, Uab | Enhanced privacy-preserving access to a VPN service |
Citations (45)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4200770A (en) * | 1977-09-06 | 1980-04-29 | Stanford University | Cryptographic apparatus and method |
US5307402A (en) * | 1990-11-19 | 1994-04-26 | Exxon Research And Engineering Company | Reduced time remote access method |
US5754774A (en) * | 1996-02-15 | 1998-05-19 | International Business Machine Corp. | Client/server communication system |
US5777989A (en) * | 1995-12-19 | 1998-07-07 | International Business Machines Corporation | TCP/IP host name resolution for machines on several domains |
US5787470A (en) * | 1996-10-18 | 1998-07-28 | At&T Corp | Inter-cache protocol for improved WEB performance |
US5794230A (en) * | 1996-03-15 | 1998-08-11 | Microsoft Corporation | Method and system for creating and searching directories on a server |
US5991306A (en) * | 1996-08-26 | 1999-11-23 | Microsoft Corporation | Pull based, intelligent caching system and method for delivering data over a network |
US6009459A (en) * | 1997-01-10 | 1999-12-28 | Microsoft Corporation | Intelligent automatic searching for resources in a distributed environment |
US6108330A (en) * | 1997-09-26 | 2000-08-22 | 3Com Corporation | Apparatus and methods for use therein for an ISDN LAN modem that selects among a plurality of DNS servers for responding to a DNS query |
US6118768A (en) * | 1997-09-26 | 2000-09-12 | 3Com Corporation | Apparatus and methods for use therein for an ISDN LAN modem utilizing browser-based configuration with adaptation of network parameters |
US6145003A (en) * | 1997-12-17 | 2000-11-07 | Microsoft Corporation | Method of web crawling utilizing address mapping |
US6178535B1 (en) * | 1997-04-10 | 2001-01-23 | Nokia Mobile Phones Limited | Method for decreasing the frame error rate in data transmission in the form of data frames |
US6298308B1 (en) * | 1999-05-20 | 2001-10-02 | Reid Asset Management Company | Diagnostic network with automated proactive local experts |
US20010036192A1 (en) * | 2000-03-17 | 2001-11-01 | Chiles David Clyde | Home-networking |
US20020010798A1 (en) * | 2000-04-20 | 2002-01-24 | Israel Ben-Shaul | Differentiated content and application delivery via internet |
US20020026503A1 (en) * | 2000-04-12 | 2002-02-28 | Samuel Bendinelli | Methods and system for providing network services using at least one processor interfacing a base network |
US20020027915A1 (en) * | 2000-09-01 | 2002-03-07 | George Foti | System and method for address resolution in internet protocol (IP) -based networks |
US6377571B1 (en) * | 1998-04-23 | 2002-04-23 | 3Com Corporation | Virtual modem for dialout clients in virtual private network |
US20020118671A1 (en) * | 1995-11-15 | 2002-08-29 | Data Race, Inc. | Extending office telephony and network data services to a remote client through the internet |
US20020154623A1 (en) * | 2001-04-20 | 2002-10-24 | Hank Hundemer | Provision of digital data via multiple broadcasts |
US20020169988A1 (en) * | 2000-12-22 | 2002-11-14 | Vandergeest Ron J. | Method and apparatus for providing user authentication using a back channel |
US20020178361A1 (en) * | 2001-05-24 | 2002-11-28 | International Business Machines Corporation | System and method for dynamically determining CRL locations and access methods |
US20030009592A1 (en) * | 2001-07-05 | 2003-01-09 | Paul Stahura | Method and system for providing static addresses for Internet connected devices even if the underlying address is dynamic |
US20030014541A1 (en) * | 2001-07-13 | 2003-01-16 | Yuri Poeluev | Method and apparatus for resolving a web site address when connected with a virtual private network (VPN) |
US6523027B1 (en) * | 1999-07-30 | 2003-02-18 | Accenture Llp | Interfacing servers in a Java based e-commerce architecture |
US20030039268A1 (en) * | 2001-08-14 | 2003-02-27 | Chong Lester J. | System and method for provisioning broadband service in a PPPoE network using a list of stored domain names |
US6538996B1 (en) * | 1998-02-25 | 2003-03-25 | Enterasys Networks, Inc. | Remote computer communication |
US6560634B1 (en) * | 1997-08-15 | 2003-05-06 | Verisign, Inc. | Method of determining unavailability of an internet domain name |
US6601233B1 (en) * | 1999-07-30 | 2003-07-29 | Accenture Llp | Business components framework |
US6609128B1 (en) * | 1999-07-30 | 2003-08-19 | Accenture Llp | Codes table framework design in an E-commerce architecture |
US6609153B1 (en) * | 1998-12-24 | 2003-08-19 | Redback Networks Inc. | Domain isolation through virtual network machines |
US6633878B1 (en) * | 1999-07-30 | 2003-10-14 | Accenture Llp | Initializing an ecommerce database framework |
US6662221B1 (en) * | 1999-04-12 | 2003-12-09 | Lucent Technologies Inc. | Integrated network and service management with automated flow through configuration and provisioning of virtual private networks |
US6671729B1 (en) * | 2000-04-13 | 2003-12-30 | Lockheed Martin Corporation | Autonomously established secure and persistent internet connection and autonomously reestablished without user intervention that connection if it lost |
US20040039798A1 (en) * | 1999-03-03 | 2004-02-26 | Ultradns, Inc. | Domain name resolution system and method |
US6704873B1 (en) * | 1999-07-30 | 2004-03-09 | Accenture Llp | Secure gateway interconnection in an e-commerce based environment |
US6711138B1 (en) * | 1999-09-30 | 2004-03-23 | Conexant Systems, Inc. | Digital subscriber line/home phoneline network router |
US6748439B1 (en) * | 1999-08-06 | 2004-06-08 | Accelerated Networks | System and method for selecting internet service providers from a workstation that is connected to a local area network |
US20040123153A1 (en) * | 2002-12-18 | 2004-06-24 | Michael Wright | Administration of protection of data accessible by a mobile device |
US6760746B1 (en) * | 1999-09-01 | 2004-07-06 | Eric Schneider | Method, product, and apparatus for processing a data request |
US6765591B2 (en) * | 1999-04-02 | 2004-07-20 | Nortel Networks Limited | Managing a virtual private network |
US6765881B1 (en) * | 2000-12-06 | 2004-07-20 | Covad Communications Group, Inc. | Virtual L2TP/VPN tunnel network and spanning tree-based method for discovery of L2TP/VPN tunnels and other layer-2 services |
US6871347B2 (en) * | 2001-04-13 | 2005-03-22 | Interland, Inc. | Method and apparatus for facilitating load balancing across name servers |
US6986018B2 (en) * | 2001-06-26 | 2006-01-10 | Microsoft Corporation | Method and apparatus for selecting cache and proxy policy |
US7099957B2 (en) * | 2001-08-23 | 2006-08-29 | The Directtv Group, Inc. | Domain name system resolution |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6718535B1 (en) | 1999-07-30 | 2004-04-06 | Accenture Llp | System, method and article of manufacture for an activity framework design in an e-commerce based environment |
-
2001
- 2001-08-23 US US09/938,430 patent/US7099957B2/en not_active Expired - Fee Related
-
2006
- 2006-06-26 US US11/474,573 patent/US20060271707A1/en not_active Abandoned
Patent Citations (46)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4200770A (en) * | 1977-09-06 | 1980-04-29 | Stanford University | Cryptographic apparatus and method |
US5307402A (en) * | 1990-11-19 | 1994-04-26 | Exxon Research And Engineering Company | Reduced time remote access method |
US20020118671A1 (en) * | 1995-11-15 | 2002-08-29 | Data Race, Inc. | Extending office telephony and network data services to a remote client through the internet |
US5777989A (en) * | 1995-12-19 | 1998-07-07 | International Business Machines Corporation | TCP/IP host name resolution for machines on several domains |
US5754774A (en) * | 1996-02-15 | 1998-05-19 | International Business Machine Corp. | Client/server communication system |
US5794230A (en) * | 1996-03-15 | 1998-08-11 | Microsoft Corporation | Method and system for creating and searching directories on a server |
US5991306A (en) * | 1996-08-26 | 1999-11-23 | Microsoft Corporation | Pull based, intelligent caching system and method for delivering data over a network |
US5787470A (en) * | 1996-10-18 | 1998-07-28 | At&T Corp | Inter-cache protocol for improved WEB performance |
US6009459A (en) * | 1997-01-10 | 1999-12-28 | Microsoft Corporation | Intelligent automatic searching for resources in a distributed environment |
US6178535B1 (en) * | 1997-04-10 | 2001-01-23 | Nokia Mobile Phones Limited | Method for decreasing the frame error rate in data transmission in the form of data frames |
US6560634B1 (en) * | 1997-08-15 | 2003-05-06 | Verisign, Inc. | Method of determining unavailability of an internet domain name |
US6108330A (en) * | 1997-09-26 | 2000-08-22 | 3Com Corporation | Apparatus and methods for use therein for an ISDN LAN modem that selects among a plurality of DNS servers for responding to a DNS query |
US6118768A (en) * | 1997-09-26 | 2000-09-12 | 3Com Corporation | Apparatus and methods for use therein for an ISDN LAN modem utilizing browser-based configuration with adaptation of network parameters |
US6145003A (en) * | 1997-12-17 | 2000-11-07 | Microsoft Corporation | Method of web crawling utilizing address mapping |
US6538996B1 (en) * | 1998-02-25 | 2003-03-25 | Enterasys Networks, Inc. | Remote computer communication |
US6377571B1 (en) * | 1998-04-23 | 2002-04-23 | 3Com Corporation | Virtual modem for dialout clients in virtual private network |
US6609153B1 (en) * | 1998-12-24 | 2003-08-19 | Redback Networks Inc. | Domain isolation through virtual network machines |
US20040039798A1 (en) * | 1999-03-03 | 2004-02-26 | Ultradns, Inc. | Domain name resolution system and method |
US6765591B2 (en) * | 1999-04-02 | 2004-07-20 | Nortel Networks Limited | Managing a virtual private network |
US6662221B1 (en) * | 1999-04-12 | 2003-12-09 | Lucent Technologies Inc. | Integrated network and service management with automated flow through configuration and provisioning of virtual private networks |
US20020032544A1 (en) * | 1999-05-20 | 2002-03-14 | Reid Alan J. | Diagnostic network with automated proactive local experts |
US6298308B1 (en) * | 1999-05-20 | 2001-10-02 | Reid Asset Management Company | Diagnostic network with automated proactive local experts |
US6704873B1 (en) * | 1999-07-30 | 2004-03-09 | Accenture Llp | Secure gateway interconnection in an e-commerce based environment |
US6633878B1 (en) * | 1999-07-30 | 2003-10-14 | Accenture Llp | Initializing an ecommerce database framework |
US6609128B1 (en) * | 1999-07-30 | 2003-08-19 | Accenture Llp | Codes table framework design in an E-commerce architecture |
US6523027B1 (en) * | 1999-07-30 | 2003-02-18 | Accenture Llp | Interfacing servers in a Java based e-commerce architecture |
US6601233B1 (en) * | 1999-07-30 | 2003-07-29 | Accenture Llp | Business components framework |
US6748439B1 (en) * | 1999-08-06 | 2004-06-08 | Accelerated Networks | System and method for selecting internet service providers from a workstation that is connected to a local area network |
US6760746B1 (en) * | 1999-09-01 | 2004-07-06 | Eric Schneider | Method, product, and apparatus for processing a data request |
US6711138B1 (en) * | 1999-09-30 | 2004-03-23 | Conexant Systems, Inc. | Digital subscriber line/home phoneline network router |
US20010036192A1 (en) * | 2000-03-17 | 2001-11-01 | Chiles David Clyde | Home-networking |
US20020026503A1 (en) * | 2000-04-12 | 2002-02-28 | Samuel Bendinelli | Methods and system for providing network services using at least one processor interfacing a base network |
US6671729B1 (en) * | 2000-04-13 | 2003-12-30 | Lockheed Martin Corporation | Autonomously established secure and persistent internet connection and autonomously reestablished without user intervention that connection if it lost |
US20020010798A1 (en) * | 2000-04-20 | 2002-01-24 | Israel Ben-Shaul | Differentiated content and application delivery via internet |
US20020027915A1 (en) * | 2000-09-01 | 2002-03-07 | George Foti | System and method for address resolution in internet protocol (IP) -based networks |
US6765881B1 (en) * | 2000-12-06 | 2004-07-20 | Covad Communications Group, Inc. | Virtual L2TP/VPN tunnel network and spanning tree-based method for discovery of L2TP/VPN tunnels and other layer-2 services |
US20020169988A1 (en) * | 2000-12-22 | 2002-11-14 | Vandergeest Ron J. | Method and apparatus for providing user authentication using a back channel |
US6871347B2 (en) * | 2001-04-13 | 2005-03-22 | Interland, Inc. | Method and apparatus for facilitating load balancing across name servers |
US20020154623A1 (en) * | 2001-04-20 | 2002-10-24 | Hank Hundemer | Provision of digital data via multiple broadcasts |
US20020178361A1 (en) * | 2001-05-24 | 2002-11-28 | International Business Machines Corporation | System and method for dynamically determining CRL locations and access methods |
US6986018B2 (en) * | 2001-06-26 | 2006-01-10 | Microsoft Corporation | Method and apparatus for selecting cache and proxy policy |
US20030009592A1 (en) * | 2001-07-05 | 2003-01-09 | Paul Stahura | Method and system for providing static addresses for Internet connected devices even if the underlying address is dynamic |
US20030014541A1 (en) * | 2001-07-13 | 2003-01-16 | Yuri Poeluev | Method and apparatus for resolving a web site address when connected with a virtual private network (VPN) |
US20030039268A1 (en) * | 2001-08-14 | 2003-02-27 | Chong Lester J. | System and method for provisioning broadband service in a PPPoE network using a list of stored domain names |
US7099957B2 (en) * | 2001-08-23 | 2006-08-29 | The Directtv Group, Inc. | Domain name system resolution |
US20040123153A1 (en) * | 2002-12-18 | 2004-06-24 | Michael Wright | Administration of protection of data accessible by a mobile device |
Cited By (35)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060272029A1 (en) * | 2002-11-08 | 2006-11-30 | Hitachi, Ltd. | Command processing system by a management agent |
US7430761B2 (en) * | 2002-11-08 | 2008-09-30 | Hitachi, Ltd. | Command processing system by a management agent |
US20040095962A1 (en) * | 2002-11-14 | 2004-05-20 | Allied Telesis K.K. | Data routing device, method for determining a destination of a request, and a computer program product for realizing the method |
US20050273606A1 (en) * | 2004-06-02 | 2005-12-08 | Nec Corporation | Communication system, communication apparatus, operation control method, and program |
US20070047477A1 (en) * | 2005-08-23 | 2007-03-01 | Meshnetworks, Inc. | Extensible authentication protocol over local area network (EAPOL) proxy in a wireless network for node to node authentication |
US20070076695A1 (en) * | 2005-09-30 | 2007-04-05 | Christopher Chu | Method and apparatus for translating a telephone number to a packet network address in a soft modem |
US20070207773A1 (en) * | 2006-03-06 | 2007-09-06 | Braunstein Andrew S | Remote personnel tracking |
US7664481B2 (en) * | 2006-03-06 | 2010-02-16 | Healthwyse, Llc | Remote personnel tracking |
US20080056240A1 (en) * | 2006-09-01 | 2008-03-06 | Stephen Edgar Ellis | Triple play subscriber and policy management system and method of providing same |
US8681779B2 (en) * | 2006-09-01 | 2014-03-25 | Alcatel Lucent | Triple play subscriber and policy management system and method of providing same |
US7987506B1 (en) * | 2006-11-03 | 2011-07-26 | Cisco Technology, Inc. | Methods and systems for dynamically updating a routing table in a virtual private network |
US9037750B2 (en) * | 2007-07-10 | 2015-05-19 | Qualcomm Incorporated | Methods and apparatus for data exchange in peer to peer communications |
US20090019183A1 (en) * | 2007-07-10 | 2009-01-15 | Qualcomm Incorporated | Methods and apparatus for data exchange in peer to peer communications |
US20090106404A1 (en) * | 2007-10-18 | 2009-04-23 | Christenson David A | Method and Apparatus for Dynamically Configuring Virtual Internet Protocol Addresses |
US8972547B2 (en) * | 2007-10-18 | 2015-03-03 | International Business Machines Corporation | Method and apparatus for dynamically configuring virtual internet protocol addresses |
US9025532B2 (en) | 2008-06-12 | 2015-05-05 | Qualcomm, Incorporated | Cellphone WLAN access point |
US20110080900A1 (en) * | 2008-06-12 | 2011-04-07 | Carsten Schlipf | Cellphone Wlan Access Point |
US8774091B2 (en) * | 2008-06-12 | 2014-07-08 | Qualcomm Incorporated | Cellphone WLAN access point |
US20100049840A1 (en) * | 2008-08-19 | 2010-02-25 | Arcadyan Technology Corporation | Method For Automatically Re-Connecting Customer Premises Equipment (CPE) Web User Interface (UI) |
US8190756B2 (en) * | 2008-08-19 | 2012-05-29 | Arcadyan Technology Corporation | Method for automatically re-connecting customer premises equipment (CPE) web user interface (UI) |
US9602333B2 (en) * | 2010-03-26 | 2017-03-21 | France Telecom | DNS server, gateways and methods for managing an identifier of a port range in the transmission of data |
US20130013739A1 (en) * | 2010-03-26 | 2013-01-10 | Jean-Luc Grimault | DNS Server, Gateways and Methods for Managing an Identifier of a Port Range in the Transmission of Data |
US20150117317A1 (en) * | 2010-09-07 | 2015-04-30 | Samsung Electronics Co., Ltd. | Apparatus and method for determining validity of wifi connection in wireless communication system |
US8671221B2 (en) * | 2010-11-17 | 2014-03-11 | Hola Networks Ltd. | Method and system for increasing speed of domain name system resolution within a computing device |
US9043429B2 (en) | 2010-11-17 | 2015-05-26 | Hola Networks Ltd. | Method and system for increasing speed of domain name system resolution within a computing device |
US9515981B2 (en) | 2010-11-17 | 2016-12-06 | Hola Networks Ltd. | Method and system for increasing speed of domain name system resolution within a computing device |
US20120124239A1 (en) * | 2010-11-17 | 2012-05-17 | Hola, Inc. | Method and system for increasing speed of domain name system resolution within a computing device |
US9866523B2 (en) | 2010-11-17 | 2018-01-09 | Hola Newco Ltd. | Method and system for increasing speed of domain name system resolution within a computing device |
US10148612B2 (en) | 2010-11-17 | 2018-12-04 | Hola Newco Ltd. | Method and system for increasing speed of domain name system resolution within a computing device |
US9473401B2 (en) | 2013-06-11 | 2016-10-18 | Fujitsu Limited | Network separation method and network separation device |
US20150047009A1 (en) * | 2013-08-09 | 2015-02-12 | Fujitsu Limited | Access control method, access control system and access control device |
US11546305B2 (en) * | 2018-02-28 | 2023-01-03 | Dish Network Technologies India Private Limited | Methods and systems for secure DNS routing |
US11563712B2 (en) * | 2018-11-21 | 2023-01-24 | Guangdong Oppo Mobile Telecommunications Corp., Ltd. | Method for domain name query, electronic device, and storage medium |
US20220353224A1 (en) * | 2020-07-29 | 2022-11-03 | Vmware, Inc. | Integration of client applications with hosted applications |
US11736427B2 (en) * | 2020-07-29 | 2023-08-22 | Vmware, Inc. | Integration of client applications with hosted applications |
Also Published As
Publication number | Publication date |
---|---|
US20030041091A1 (en) | 2003-02-27 |
US7099957B2 (en) | 2006-08-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7099957B2 (en) | Domain name system resolution | |
US7769838B2 (en) | Single-modem multi-user virtual private network | |
US7197550B2 (en) | Automated configuration of a virtual private network | |
US6131120A (en) | Enterprise network management directory containing network addresses of users and devices providing access lists to routers and servers | |
US9673988B2 (en) | Systems and methods for certifying devices to communicate securely | |
US6529513B1 (en) | Method of using static maps in a virtual private network | |
CA2394456C (en) | Flexible automated connection to virtual private networks | |
US7251824B2 (en) | Accessing a private network | |
EP1134955A1 (en) | Enterprise network management using directory containing network addresses of users and devices providing access lists to routers and servers | |
US10680830B2 (en) | Systems and methods for certifying devices to communicate securely | |
US20150381387A1 (en) | System and Method for Facilitating Communication between Multiple Networks | |
Chen et al. | Research on meteorological information network security system based on VPN Technology | |
Cisco | C Commands | |
Cisco | Understanding the Cisco VPN Client | |
Cisco | Case Study for Layer 3 Authentication and Encryption | |
Cisco | Access VPNs and IP Security Protocol Tunneling Technology Overview | |
Cisco | C Commands | |
Cisco | Configuration Sections | |
Cisco | Index | |
Cisco | Configuring Certification Authority Interoperability | |
Cisco | Glossary | |
Cisco | Introduction to Cisco IPsec Technology | |
Cisco | Configuration Sections | |
Cisco | Configuring IPSec and Certification Authorities | |
Cisco | Configuring IPSec and Certification Authorities |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |